Skip to content

Fix base64url secret decoding in HMAC signing #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
powfan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix base64url secret decoding in HMAC signing #219

powfan wants to merge 1 commit into from

Conversation

@powfan
Copy link

@powfan powfan commented Dec 2, 2025
edited by cursor bot
Loading

Summary

  • /auth/api-key may return secret as base64url (may contain _ / -, padding omitted).
  • base64ToArrayBuffer fed it directly to atob, which only accepts standard base64, causing InvalidCharacterError when the secret includes url-safe chars.
  • Normalize url-safe base64 (convert -/_ and pad to multiple of 4) before decoding so the same secret works across runtimes.

Testing

  • Node / Bun: deriveApiKey + createAndPostOrder no longer throw InvalidCharacterError.
  • Standard base64 secrets still decode correctly; only input normalization changed, signature generation is otherwise unchanged.

Note

Normalize base64url secrets (convert -/_ and add padding) before atob in base64ToArrayBuffer to prevent decode errors.

  • Signing/HMAC:
    • Update base64ToArrayBuffer in src/signing/hmac.ts to normalize base64url (replace -/_, add padding) before decoding with atob, ensuring secrets decode consistently across runtimes.

Written by Cursor Bugbot for commit 541f904. This will update automatically on new commits. Configure here.

@powfan powfan requested a review from a team as a code owner December 2, 2025 09:51
@powfan powfan force-pushed the fix/base64url-secret branch 2 times, most recently from cc48565 to 541f904 Compare December 2, 2025 13:08
@bh1337x
Copy link

bh1337x commented Dec 4, 2025

I was facing the same issue and it appears that this is the correct solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bh1337x bh1337x bh1337x approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@powfan @bh1337x