Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But the returned signed string will be an HMAC-SHA256 hash, won't it? Then there's not going to be any '\n' or '\\n's in there. Only thing you'll be able to tell is if it matches your hash or not, in which case 'OK' or 'not OK' will work just as well.

Or am I misunderstanding you?



You are indeed misunderstanding me. I am talking about returning the entire string to be signed. Not the result of the signature.


Ah, my bad. Sorry.

But couldn't you then just make the call to an echo service (like HTTPbin) or simply dump the request when you send it?


The echo server will have no knowledge on how to construct the string to be signed.


But neither does the actual server. HMAC only verifies that the message is from whoever it claims to be from and that it is intact. It won't know what you intended the body of the request to look like.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: