Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Signing response for jsConnect

This discussion is related to the Vanilla jsConnect addon.

I am writing this after an hour of working on problem like - "Why one people can log in to forum through jsConnect, and other not".
I found the reason and now want to understand something.

There is such text in the documentation about signing the response -

Url encode the sorted user with RFC1738 (a fancy way of saying make it a query string). This gives you your signature string.

And after this the doc has an example encoded url -

signature_string = "email=johndoe%40noreply.com&name=John+Doe&photourl=http%3A%2F%2Fnosite.com%2Fjohndoe.png&uniqueid=1234"; - See more at: http://vanillaforums.com/blog/jsconnect-technical-documentation/#sthash.6fFhJGqd.dpuf

And what we can see here - you encode white-space in the name parameter like "+", although the RFC1738 says about encoding the white-space as "%20". Explaining - we have name "John Doe" you encoded it as "John+Doe", although according to RFC1738 it must be "John%20Doe".
So, it is obviously that the sign will be different in these two cases. So in our project this leads to error "Signature invalid." for users which has white-spaces in their Names on our project and for other it works fine.

I did not try any of your ready modules (for PHP, Ruby, Java, .NET) as we using perl, but maybe these modules have such problems too.

Or there is something wrong in my mind? :)

Comments

  • ToddTodd Chief Product Officer Vanilla Staff

    I do believe that a space encoded as a + is rfc1738 and a space as a %20 is rfc3986.

    hgtonight
  • hai,

    I updated vanilla 2.0.18 to 2.1 after jsconnect will not work

    i getting this errror "signature is required."

Sign In or Register to comment.