public function test_post_data() { $this->assertSame($this->call_data, \V1\APIRequest::post_data()); }
/** * Validate the signature for the call * * @param array $tokens The OAuth tokens from the header * @return boolean True if valid, false if invalid */ protected static function valid_signature($tokens) { $mt = microtime(true); // Decode the signature, or fail if (($decoded_sig = urldecode(base64_decode($tokens['oauth_signature']))) === false) { return false; } // Grab the account data so we have a copy of the customer's secret key. $account_data = \V1\Model\Account::get_account($tokens['oauth_consumer_key']); // If the account is invalid, fail. if (empty($account_data)) { return false; } $secret = \Crypt::decode($account_data['consumer_secret']); // Reconstruct the data to build the signature. $oauth = array('oauth_nonce' => $tokens['oauth_nonce'], 'oauth_timestamp' => $tokens['oauth_timestamp'], 'oauth_consumer_key' => $tokens['oauth_consumer_key'], 'oauth_consumer_secret' => $secret, 'body' => urlencode(urlencode(base64_encode(json_encode(\V1\APIRequest::post_data()))))); ksort($oauth); $oauth_encoded = array(); foreach ($oauth as $key => $value) { $oauth_encoded[] = $key . '=' . $value; } // Now we have the string to make the hash $signed_string = urlencode(implode('&', $oauth_encoded)); // Final product $hash = hash_hmac('sha256', $signed_string, $secret); // If they match, it's valid. return $hash === $decoded_sig; }