We were having a weird issue with a passive worker on one of our API endpoints that does HMAC auth using the request data as part of the signature.
In our case for various reason one of our requests contained an &
character at the end of the URL string. We found that these request were suddenly failing when the worker was activated although it was a passive worker that was not modifying the request.
Turns out that for some reason all &'s at the end of the URL are being stripped as seen in the screenshot below.
has anyone else encountered this? anything we can do about it?
Update: Here is a easy to reproduce version of the failure - https://Cloudflareworkers.com/#35ac553cdca2d02017d12e109e7e1709:https://tutorial.Cloudflareworkers.com
Another reproduction
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
console.log('Got request', request)
let re = 'http://postb.in/YOUR_BIN_ID_HERE' +'/a?url='+ request.url
const response = await fetch(re,request)
console.log('Got response', response)
return response
}
then do
curl "https://YOUR_URL_WITH_WORKER.com/a?business_guid=f0c13f5a2e4cea8aeab7d2fe25df80a2&&&"
When you review the contents of the bin located at http://postb.in/b/YOUR_BIN_ID_HERE
you will notice that the query is missing the &
s