Author: Marcus Bointon

Posted on

Postman pre-request script for Laravel registration

A common way to register in a Laravel API is to send a POST request to /users containing a username, password, any other info, and also an HMAC signature using a server-side secret. In this example, it’s validated on the server by this class:

    public const HASH_ALGORITHM = 'sha256';

    protected const REQUEST_KEYS = [
        'email',
        'name',
    ];

    private $secret;

    public function __construct(string $secret = null)
    {
        if (! $secret) {
            throw new \InvalidArgumentException('The registration secret must be provided');
        }

        $this->secret = $secret;
    }

    public function verify(Request $request): bool
    {
        return rescue(
            function () use ($request) {
                $hash = hash_hmac(
                    self::HASH_ALGORITHM,
                    json_encode($request->only(self::REQUEST_KEYS)),
                    $this->secret
                );

                return hash_equals(
                    base64_encode($hash),
                    $request->get('signature', '')
                );
            },
            false
        );
Code language: PHP (php)

So we can see that it’s expecting a Base64-encoded HMAC-SHA256 signature of a JSON array containing the email and name properties.

If you’re trying to make this request in Postman, you obviously need to calculate this same signature or it won’t work. Fortunately Postman has pre-request scripts that can inspect bits of your request and environment and generate new elements before your request is sent, and that’s what we need to use.

We don’t want the secret to be saved in our request collection, so we keep it in an environment, and pull it out dynamically when the request is made. Postman includes the Crypto-js package, which includes the necessary signature and encoding functions we need. Coming from PHP, the syntax for these operations feels very convoluted, but it goes like this:

const signature_string = '{"email":"' + request.data.email + '","name":"' + request.data.name + '"}';
const hmac = CryptoJS.HmacSHA256(signature_string, pm.environment.get('REGISTRATION_SECRET'));
const b64 = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(hmac));
pm.environment.set("REGISTRATION_SIGNATURE", b64);Code language: JavaScript (javascript)

This builds the string to sign from the request elements we need, calculates the HMAC of it using our secret, and then base64-encodes it before saving it in the Postman environment.

You can then add the signature into your request by adding the REGISTRATION_SIGNATURE variable to the body:

Hope that helps someone!

Posted on

Reverse engineering Fox’s Butter Crinkle Crunch biscuits

Update 24th Jan 2024: I wrote a follow-up post to this.

Fox’s Butter Crinkle Crunch biscuits have always been a favourite of mine. I had a little rummage, but completely failed to find a recipe for them, so I though I’d try making one up.

Home made butter crinkle crunch biscuits
Home made butter crinkle crunch biscuits

Fox’s page on the biscuits is oddly free of marketing, but includes both the the ingredients list and the nutrition label, from which we can deduce something of the recipe. The ingredients list noted 8% oats and 5% butter, no eggs, and a critical ingredient I’d not thought of – partially inverted refiners syrup. That’s golden syrup to you. Taking those with some of the nutrition label led to make some guesses about the proportion of ingredients. I did a little searching about ginger snaps, a very similar biscuit texture-wise, which gave me an important tip – “go heavy on the raising agent”. This is what makes the biscuits over-rise and form the distinctive “crinkly” cracks. I then compared my recipe with Rachel Allen’s recipe for ginger honey biscuits (from her “Bake” book, ISBN 978-0007259700), which I’ve made before, and made a few adjustments to quantities, before settling on a recipe.

Ingredients

  • 175g white flour
  • 75g white sugar
  • 25g dark muscovado sugar (adds a slightly caramel-y taste)
  • 50g oats (porridge, not jumbo)
  • 125g butter
  • 50g golden syrup
  • 2tsp baking powder
  • Pinch of salt
  • 1/4tsp vanilla powder
  • A small bowl of Demerara sugar (cassonade in France) for rolling

This is about 500g of ingredients providing eleventy bazillion calories, and made 24 large-ish biscuits.

Steps

I used a Kenwood Chef to make this, but it’s easy to do by hand too. I baked them on a large double-layer tray with a silicone baking sheet.

  • Preheat oven (traditional mode, not fan) to 180°C.
  • Put all the dry ingredients except the sugar in a bowl and mix.
  • Put butter, sugar (not the Demerara!) and golden syrup in the mixer bowl and whiz until it’s creamy.
  • Add the dry ingredients and whiz until it forms a thick, slightly crumbly dough with no small crumbs. It should be fairly dry, not sticky. If it’s sticky, add a little more flour.
  • Grab small 2-3cm blobs of dough and roll them between your palms to make them into smooth spheres, then roll them in the Demerara sugar before putting them on the baking tray. Leave quite a lot of space around them as they will spread a lot when baking.
  • Bake for about 16 minutes on a middle shelf. They will initially rise to look like little cakes (which had me worried!), but after about 10 mins the tops will crack and they will flatten a bit. I wanted to make sure they were nice and crunchy; if you prefer them softer, take them out a little sooner.

I made a time lapse video of them cooking, but the camera focused on the little dots on the oven door rather than what’s inside, so the biscuits are a little blurry:

Biscuits cooking

They looked pretty good in the end and taste pretty much as I expected, though lacking that blatant butteriness that the originals have, possibly due to my lack of a listed ingredient: “Flavouring”! Still yummy though.

I think if I made them again I’d cut down on the sugar a bit, perhaps increase the oats, though I don’t want to stray into Hob-Nob territory! I could make them look more like bought ones if I squashed them a bit before baking so that they come out flatter.