public function test_post_data()
{
$this->assertSame($this->call_data, \V1\APIRequest::post_data());
}
/**
* Validate the signature for the call
*
* @param array $tokens The OAuth tokens from the header
* @return boolean True if valid, false if invalid
*/
protected static function valid_signature($tokens)
{
$mt = microtime(true);
// Decode the signature, or fail
if (($decoded_sig = urldecode(base64_decode($tokens['oauth_signature']))) === false) {
return false;
}
// Grab the account data so we have a copy of the customer's secret key.
$account_data = \V1\Model\Account::get_account($tokens['oauth_consumer_key']);
// If the account is invalid, fail.
if (empty($account_data)) {
return false;
}
$secret = \Crypt::decode($account_data['consumer_secret']);
// Reconstruct the data to build the signature.
$oauth = array('oauth_nonce' => $tokens['oauth_nonce'], 'oauth_timestamp' => $tokens['oauth_timestamp'], 'oauth_consumer_key' => $tokens['oauth_consumer_key'], 'oauth_consumer_secret' => $secret, 'body' => urlencode(urlencode(base64_encode(json_encode(\V1\APIRequest::post_data())))));
ksort($oauth);
$oauth_encoded = array();
foreach ($oauth as $key => $value) {
$oauth_encoded[] = $key . '=' . $value;
}
// Now we have the string to make the hash
$signed_string = urlencode(implode('&', $oauth_encoded));
// Final product
$hash = hash_hmac('sha256', $signed_string, $secret);
// If they match, it's valid.
return $hash === $decoded_sig;
}
