What is Member Hash

What is Member Hash

Member Hash is a security feature that prevents third parties from viewing other people's information using a predictable memberId. By providing SHA-256 HMAC (hash based message authentication code) of a user's memberId, only legitimate user's boot requests are processed by Channel.
We recommend using this feature for increased security.

🚧

Support for website builders

For now, the Member Hash feature is supported ONLY to those that have installed the Channel Plugin via self development. For some website builders (including Cafe24, etc), the Member Hash feature is NOT supported due to fundamental differences in installation methods. We will continue to get support for other website builders.

How to Use

After issuing a secret key, set up your server to hash a user's memberId with the secret key using HMAC with SHA-256.

HMAC Hashing Example Codes

We provide example codes of generating member hash from a given secret key and a memberId in three different languages (Javascript, Python, Java).

const crypto = require('crypto');

const memberId = 'lucas';
const secretKey = '4629de5def93d6a2abea6afa9bd5476d9c6cbc04223f9a2f7e517b535dde3e25';
const expectedHash = "99427c7bba36a6902c5fd6383f2fb0214d19b81023296b4bd6b9e024836afea2";

const hash = crypto.createHmac('sha256', Buffer.from(secretKey, 'hex'))
                .update(memberId)
                .digest('hex');
import hmac
import hashlib
import binascii

member_id = "lucas"
secret_key = "4629de5def93d6a2abea6afa9bd5476d9c6cbc04223f9a2f7e517b535dde3e25"
expected_hash = "99427c7bba36a6902c5fd6383f2fb0214d19b81023296b4bd6b9e024836afea2"
hash = hmac.new(
    binascii.unhexlify(bytearray(secret_key, "utf-8")),
    msg=member_id.encode('utf-8'),
    digestmod=hashlib.sha256
).hexdigest()
public static String encode(String key, String salt, String algorithm) {
  try {
    byte[] data = key.getBytes();
    SecretKey macKey = new SecretKeySpec(hexify(salt), algorithm);
    Mac mac = Mac.getInstance(algorithm);
    mac.init(macKey);
    byte[] digest = mac.doFinal(data);
    byte[] hexBytes = new Hex().encode(digest);
    return new String(hexBytes, StandardCharsets.UTF_8);
  } catch (InvalidKeyException | NoSuchAlgorithmException e) {
    log.error(e.getMessage(), e);
    throw new RuntimeException(e);
  }
}

String memberId = "lucas";
String secretKey = "4629de5def93d6a2abea6afa9bd5476d9c6cbc04223f9a2f7e517b535dde3e25";
String expectedHash = "99427c7bba36a6902c5fd6383f2fb0214d19b81023296b4bd6b9e024836afea2";
String hash = HMACUtil.encode(memberId, salt, "HMACSHA256")
$expectedHash = hash_hmac('sha256', 'lucas', pack("H*", '4629de5def93d6a2abea6afa9bd5476d9c6cbc04223f9a2f7e517b535dde3e25'));

// $expectedHash = '99427c7bba36a6902c5fd6383f2fb0214d19b81023296b4bd6b9e024836afea2';

Toggle Behavior

  • When Member Hash feature is toggled ON

    • For integrated users: Within your boot request, provide memberId as well as the hashed value of your memberId (memberHash). We will check if the provided memberHash is correctly generated with your secret key using SHA-256. Boot requests with the wrong memberHash will return a 401 Unauthenticated Error.
    • For anonymous users: Do NOT provide memberId and memberHash inside your boot request.
  • When member hash feature is toggled OFF

    • We will NOT verify anything in your boot request. Even if the memberHash value is present in your boot request, we will simply ignore it.

Troubleshooting

  • Enable the Member Hash feature only after ALL your plugins have set up. For the plugins that have not been set up with the feature, the Channel Plugin will not work properly.

  • Keep you secret key safe. DO NOT commit your secret key to your repository, frontend client-side code, or any kind of publicly open place where third parties can find. If your secret key is exposed, re-issue your secret key and set up again using the instructions above.