fix: 401 signature invalid when using --filter with JSON values#13
Open
byshing wants to merge 1 commit into
Open
fix: 401 signature invalid when using --filter with JSON values#13byshing wants to merge 1 commit into
byshing wants to merge 1 commit into
Conversation
When a query value contains special characters (e.g. a JSON filter like
{"ordStatus":"New"}), reqwest's url::Url::parse encodes them before
sending (" -> %22). The signature was computed over the raw unencoded
string, causing a server-side mismatch and a 401 Signature not valid.
Add signing_path() which parses the URL through the same url crate to
extract the canonically-encoded path+query, ensuring the signed string
matches what the server receives. Applied to get_auth and delete.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
bitmex order list --filter '{"ordStatus":"New"}'returned a 401 Signature not valid, while the same command without--filterworked fine.Root cause
build_queryemits raw query strings without percent-encoding. Whenreqwestsends the request, it passes the URL throughurl::Url::parse(), which encodes"→%22(WHATWG query encode set). The HMAC signature was computed over the unencoded form while the server received the encoded form — mismatch.Fix
Added
signing_path()inclient.rswhich parses the URL through the sameurlcrate before signing, extracting the canonically-encoded path+query. This guarantees the signed string exactly matches what the server receives. Applied to bothget_authanddelete.Test plan
client.rs::tests:signing_path_encodes_json_filter_quotes,signing_path_empty_query,signing_path_simple_params_unchangedcargo test)bitmex order list --filter '{"ordStatus":"New"}'returns results without 401