From 8f4dfc0e1ecb5e9625cab47eeef6effaee190179 Mon Sep 17 00:00:00 2001
From: Marcel Pociot <m.pociot@gmail.com>
Date: Mon, 3 Dec 2018 10:08:25 +0100
Subject: [PATCH] Fix app secret. Only add the md5 of the body, if it's present

---
 src/HttpApi/Controllers/Controller.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/HttpApi/Controllers/Controller.php b/src/HttpApi/Controllers/Controller.php
index 9da19ba..b2da458 100644
--- a/src/HttpApi/Controllers/Controller.php
+++ b/src/HttpApi/Controllers/Controller.php
@@ -86,16 +86,20 @@ abstract class Controller implements HttpServerInterface
 
     protected function ensureValidSignature(Request $request)
     {
-        $bodyMd5 = md5($request->getContent());
 
         $signature =
             "{$request->getMethod()}\n/{$request->path()}\n" .
             "auth_key={$request->get('auth_key')}" .
             "&auth_timestamp={$request->get('auth_timestamp')}" .
-            "&auth_version={$request->get('auth_version')}" .
-            "&body_md5={$bodyMd5}";
+            "&auth_version={$request->get('auth_version')}";
 
-        $authSignature = hash_hmac('sha256', $signature, App::findById($request->get('appId'))->appSecret);
+        if ($request->getContent() !== '') {
+            $bodyMd5 = md5($request->getContent());
+
+            $signature .= "&body_md5={$bodyMd5}";
+        }
+
+        $authSignature = hash_hmac('sha256', $signature, App::findById($request->get('appId'))->secret);
 
         if ($authSignature !== $request->get('auth_signature')) {
             throw new HttpException(401, 'Invalid auth signature provided.');