WAF is_timed_hmac_valid_v0 with more parameters issue

when using this expression rule on my waf

(http.host eq “site . com” and not is_timed_hmac_valid_v0(“somekey”, http.request.uri, 10800, http.request.timestamp.sec, 8)) it works fine but when i add another parameter to the query url it fails, and yes &verify=token is the last parameter, so i add parameters before. How do i fix it?

https://…com/something/somefile?verify=token works fine
https://…com/something/somefile?param1=value&verify=token does NOT work

After many hours, i found out that you need to encrypt the “message” with the parameters first.

For anyone with the same issue.

PHP example:

$message = "/images/cat.jpg?yourParamHere=true";
        $secret = "mysecrettoken";
        $separator = "verify";
        $timestamp = time();
        $token = urlencode(base64_encode(hash_hmac("sha256", $message . $timestamp, $secret, true)));

now that token will work if the url has https://yoursite .com/images/cat.jpg?yourParamHere=true&verify=token