change the signed token format. We don't folks to be able to submit random text for signing by us, as they could then use these to generate known signatures.

author: redmatrix <git@macgirvin.com> 2016-05-22 22:44:13 -0700
committer: redmatrix <git@macgirvin.com> 2016-05-22 22:44:13 -0700
commit: bbc71343bdfc724425927ebab404b035c65f569c (patch)
tree: ee3c193ee84025ef37705a11179c3e986ba6c617 /Zotlabs
parent: a1aa3d906159e4ad563779e5f220dddbfbd744c4 (diff)
download: volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.tar.gz
volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.tar.bz2
volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 63fdd4a4c..07798fbb1 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -110,7 +110,7 @@ class Finger {
 		if($x) {
 			$signed_token = ((is_array($x) && array_key_exists('signed_token',$x)) ? $x['signed_token'] : null);
 			if($signed_token) {
-				$valid = rsa_verify(self::$token,base64url_decode($signed_token),$x['key']);
+				$valid = rsa_verify('token.' . self::$token,base64url_decode($signed_token),$x['key']);
 				if(! $valid) {
 					logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
 					return $ret;
author	redmatrix <git@macgirvin.com>	2016-05-22 22:44:13 -0700
committer	redmatrix <git@macgirvin.com>	2016-05-22 22:44:13 -0700
commit	bbc71343bdfc724425927ebab404b035c65f569c (patch)
tree	ee3c193ee84025ef37705a11179c3e986ba6c617 /Zotlabs
parent	a1aa3d906159e4ad563779e5f220dddbfbd744c4 (diff)
download	volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.tar.gz volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.tar.bz2 volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.zip