From: Florian Forster Date: Tue, 16 Jan 2018 19:24:49 +0000 (+0100) Subject: Package fitbit: Don't URL-decode Fitbit's signature. X-Git-Url: https://git.verplant.org/?a=commitdiff_plain;h=e99826bfa13306dda3897d3490969032b8aa13f5;p=kraftakt.git Package fitbit: Don't URL-decode Fitbit's signature. The documentation states that that should be done, but then the signature may include "+", which URL decode turns into a space … --- diff --git a/fitbit/fitbit.go b/fitbit/fitbit.go index f871604..2c0a04a 100644 --- a/fitbit/fitbit.go +++ b/fitbit/fitbit.go @@ -9,7 +9,6 @@ import ( "fmt" "io/ioutil" "net/http" - "net/url" "time" "github.com/octo/gfitsync/app" @@ -46,14 +45,9 @@ func ParseToken(ctx context.Context, r *http.Request, u *app.User) error { } func CheckSignature(ctx context.Context, payload []byte, rawSig string) bool { - base64Sig, err := url.QueryUnescape(rawSig) + signatureGot, err := base64.StdEncoding.DecodeString(rawSig) if err != nil { - log.Errorf(ctx, "QueryUnescape(%q) = %v", rawSig, err) - return false - } - signatureGot, err := base64.StdEncoding.DecodeString(base64Sig) - if err != nil { - log.Errorf(ctx, "base64.StdEncoding.DecodeString(%q) = %v", base64Sig, err) + log.Errorf(ctx, "base64.StdEncoding.DecodeString(%q) = %v", rawSig, err) return false }