From aac498808c5bb499723cf9de711846553ca5236d Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Fri, 22 Jan 2016 21:53:11 -0500
Subject: [PATCH] closes #30

---
 app/Http/Middleware/APISecretToken.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/Http/Middleware/APISecretToken.php b/app/Http/Middleware/APISecretToken.php
index 19e93382b..ef13ba563 100644
--- a/app/Http/Middleware/APISecretToken.php
+++ b/app/Http/Middleware/APISecretToken.php
@@ -46,6 +46,10 @@ class APISecretToken extends Authorization
 
     protected $permissionAllowed = false;
 
+    protected $method = '';
+
+    protected $url = '';
+
     public function __construct()
     {
         //
@@ -102,7 +106,9 @@ class APISecretToken extends Authorization
             throw new HttpException('There was an error while attempting to check your secret key.');
         }
 
-        if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $decrypted) !== base64_decode($hashed)) {
+        $this->method = strtoupper($request->method());
+        $this->url = urldecode($request->fullUrl());
+        if($this->_generateHMAC($request->getContent(), $decrypted) !== base64_decode($hashed)) {
             throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.');
         }
 
@@ -110,9 +116,9 @@ class APISecretToken extends Authorization
 
     }
 
-    protected function _generateHMAC($url, $body, $key)
+    protected function _generateHMAC($body, $key)
     {
-        $data = urldecode($url) . '.' . $body;
+        $data = $this->method . '.' . $this->url . '.' . $body;
         return hash_hmac($this->algo, $data, $key, true);
     }