From 079e9d2730c5429c2b31f75df9c4ff5b451f6efe Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Sun, 23 Mar 2025 14:25:55 +0800
Subject: Cut half of the cookie, the HMAC is enough

---
 token.go | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

(limited to 'token.go')

diff --git a/token.go b/token.go
index f704383..7e2d445 100644
--- a/token.go
+++ b/token.go
@@ -11,8 +11,9 @@ import (
 	"time"
 )
 
-func makeSignedToken(request *http.Request) []byte {
-	buf := make([]byte, 0, 2*sha256.Size)
+func makeSignedToken(request *http.Request) (identifier []byte, mac []byte) {
+	identifier = make([]byte, 0, sha256.Size)
+	mac = make([]byte, 0, sha256.Size)
 
 	timeBuf := make([]byte, binary.MaxVarintLen64)
 	binary.PutVarint(timeBuf, time.Now().Unix()/604800)
@@ -26,17 +27,17 @@ func makeSignedToken(request *http.Request) []byte {
 	h.Write(stringToBytes(request.Header.Get("Accept-Encoding")))
 	h.Write(stringToBytes(request.Header.Get("Accept-Language")))
 	h.Write(privkeyHash)
-	buf = h.Sum(buf)
-	if len(buf) != sha256.Size {
+	identifier = h.Sum(identifier)
+	if len(identifier) != sha256.Size {
 		panic("unexpected buffer length after hashing contents")
 	}
 
-	mac := hmac.New(sha256.New, privkey)
-	mac.Write(buf)
-	buf = mac.Sum(buf)
-	if len(buf) != 2*sha256.Size {
+	m := hmac.New(sha256.New, privkey)
+	m.Write(identifier)
+	mac = m.Sum(mac)
+	if len(mac) != sha256.Size {
 		panic("unexpected buffer length after hmac")
 	}
 
-	return buf
+	return
 }
-- 
cgit v1.2.3