mdsol · masongup-mdsol · Mar 29, 2017 · Mar 16, 2017 · Mar 16, 2017 · Mar 20, 2017
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # MAuth-Client History
 
+## v4.0.3
+- Updated signature to decode number sign (#) in requests
+
 ## v4.0.2
 - Store the config data to not load the config file multiple times
 

diff --git a/lib/mauth/client.rb b/lib/mauth/client.rb
@@ -364,8 +364,7 @@ def signature_valid!(object)
         expected_for_percent_reencoding = object.string_to_sign(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
 
         # do a moderately complex Euresource-style reencoding of the path
-        object.attributes_for_signing[:request_url] = CGI.escape(original_request_uri.to_s)
-        object.attributes_for_signing[:request_url].gsub!('%2F', '/') # ...and then 'simply' decode the %2F's back into /'s, just like Euresource kind of does!
+        object.attributes_for_signing[:request_url] = euresource_escape(original_request_uri.to_s)
         expected_euresource_style_reencoding = object.string_to_sign(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
 
         # reset the object original request_uri, just in case we need it again
@@ -383,6 +382,13 @@ def signature_valid!(object)
         end
       end
 
+      # Note: RFC 3986 (https://www.ietf.org/rfc/rfc3986.txt) reserves the forward slash "/"
+      #   and number sign "#" as component delimiters. Since these are valid URI components,
+      #   they are decoded back into characters here to avoid signature invalidation
+      def euresource_escape(str)
+        CGI.escape(str).gsub(/%2F|%23/, "%2F" => "/", "%23" => "#")
+      end
+
       def retrieve_public_key(app_uuid)
         retrieve_security_token(app_uuid)['security_token']['public_key_str']
       end

diff --git a/lib/mauth/version.rb b/lib/mauth/version.rb
@@ -1,3 +1,3 @@
 module MAuth
-  VERSION = '4.0.2'.freeze
+  VERSION = '4.0.3'.freeze
 end
diff --git a/spec/mauth_client_spec.rb b/spec/mauth_client_spec.rb
@@ -236,7 +236,7 @@ def x_mws_authentication
         it "considers a request to be authentic even if the request_url must be CGI::escape'ed (after being escaped in Euresource's own idiosyncratic way) before authenticity is achieved" do
           ['/v1/users/[email protected]', "! # $ & ' ( ) * + , / : ; = ? @ [ ]"].each do |path|
             # imagine what are on the requester's side now...
-            signed_path = CGI.escape(path).gsub!('%2F','/') # This is what Euresource does to the path on the requester's side before the signing of the outgoing request occurs.
+            signed_path = CGI.escape(path).gsub!(/%2F|%23/, "%2F" => "/", "%23" => "#") # This is what Euresource does to the path on the requester's side before the signing of the outgoing request occurs.
             request = TestSignableRequest.new(:verb => 'GET', :request_url => signed_path)
             signed_request = @signing_mc.signed(request)