-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/sign fails to authenticate #105
Comments
Can you provide the command you are using to sign? |
It looks like this is an encoding error possibly in kr/fernet. If you replace the '_' with some alpha numeric character (for both the l2met process and the curl command) everything just works. So far I can't get auth to work with '+' or '_' in the SECRETS env. |
@mikehale so is it a problem with the command used to generate SECRETS? |
I'm not sure. Ruby properly url encodes/decodes strings that l2met/fernet has trouble with. I'm not certain which is out of spec. |
This shows that in ruby decoding an encoded string returns the original string:
|
I suspect this problem may be with the way that l2met is decoding the authorization header. You can see the call to decode here: https://github.com/ryandotsmith/l2met/blob/master/auth/auth.go#L53 Notice I am using the base64 pkg's StdEncoding variable. I noticed that there is a URLEncoding variable that will handle the URL safe versions of base64. I am going to research and test the different implementation to see if the URLENcoding provides a more robust implementation of header parsing. |
Using URLEncoding did not solve the problem. After some more digging, I may have uncovered a bug in kr/fernet. Here is my bug report. fernet/fernet-go#5 |
Related: #105 Use the URL safe version of base64 decoding. Don't break when comparing secret keys to advert possible timing attacks. Add tests for auth parsing.
Was seeing this as well using the It failed 5 times in a row for me (I manually wiped the repo and heroku app each time). I increased the sleep in the script to 5, then it worked (not sure if there's a correlation). |
Related #105 Related #114 There is an outstanding issue (#115) with the pkg that l2met uses to deal with the encryption of Librato credentials in which certain characters are not properly parsed which results in the shared key not being able to decrypt data. This patch trims the known-to-be-bad characters away from the generated secret.
I just deployed l2met from 27b6331 and it is returning 'Authentication failed.' when I attempt to sign credentials. I'm pretty sure I'm using the same secret on the process and the request, thinking that perhaps this was a code regression?
The text was updated successfully, but these errors were encountered: