Cookie based hmac auth is impossible

[SanCoder-Q]

The hmac auth leverage header value with the below schema to set up the signature.

Authorization: Signature keyId="hmac-key-1",algorithm="hmac-sha1",signature="Base64Encode(HMAC-SHA1(signing string))"

When passing the same value through cookie instead, the golang net/http/cookie stripes the double quotes in the cookie value based on RFC 6265. See also the relevant issue. However, tyk uses Scanner to parse the value of the signature, which make double quotes mandatory if any value contains special characters such as -. This makes the cookie based hmac auth impossible (, e.g. the mandatory algorithm value always contains a hyphen).

I wonder if anyone really use this feature ever. Without proper testing, How this feature was rollout?

Please get it fixed and share workaround if there is any. Thanks.

[buger]

/probe whats your view on it?

[github-actions]

Error during chat processing: Error: Failed to get response from AI model during iteration 1. Empty response from AI model

---

Tip: Mention me again using /probe <request>.
Powered by Probe AI