From afa8e96294bbbcd56727d83ccb02b148f33fcc81 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travis@t2bot.io>
Date: Thu, 26 Dec 2024 18:03:37 -0700
Subject: [PATCH] Fix HMAC to avoid canonicalization issues

---
 api/_responses/redirect.go | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/api/_responses/redirect.go b/api/_responses/redirect.go
index 9b349350..13a7303d 100644
--- a/api/_responses/redirect.go
+++ b/api/_responses/redirect.go
@@ -4,7 +4,6 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/hex"
-	"encoding/json"
 	"net/url"
 	"strconv"
 	"time"
@@ -31,19 +30,14 @@ func Redirect(ctx rcontext.RequestContext, toUrl string, auth _apimeta.AuthConte
 		toUrl = appendQueryParam(toUrl, "matrix_exp", strconv.FormatInt(expirationTime.UnixMilli(), 10))
 
 		// Prepare our HMAC message contents as a JSON object
-		hmacInput := make(map[string]string)
-		hmacInput["url"] = toUrl
+		hmacMessage := toUrl + "||"
 		if auth.User.UserId != "" {
-			hmacInput["access_token"] = auth.User.AccessToken
-		}
-		hmacMessage, err := json.Marshal(hmacInput)
-		if err != nil {
-			panic(err) // "should never happen"
+			hmacMessage += auth.User.AccessToken
 		}
 
 		// Actually do the HMAC
 		mac := hmac.New(sha256.New, []byte("THIS_IS_A_SECRET_KEY")) // TODO: @@ Actual secret key
-		mac.Write(hmacMessage)
+		mac.Write([]byte(hmacMessage))
 		verifyHmac := mac.Sum(nil)
 
 		// Append the HMAC to the URL