Added test to make clear signed_query doesn't strip hmac

MarkusH · MarkusH · commit 686479acaf8c · 2016-11-19T13:02:21.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,11 @@
   * `sign_and_encode()` in favor of `laterpay.utils.signed_query()`
   * `sign_get_url()` in favor of `laterpay.utils.signed_url()`
 
+  Note that `sign_and_encode()` and `sign_get_url()` used to remove existing
+  `'hmac'` parameters before signing query strings. This is different to
+  `signed_query()` as that function also allows other names for the hmac query
+  argument. Please remove the parameter yourself if need be.
+
 * Removed the deprecated `cp` argument from `laterpay.ItemDefinition`
 
 * Reliably ignore `hmac` and `gettoken` parameters when creating the signature
diff --git a/tests/test_utils.py b/tests/test_utils.py
@@ -70,6 +70,18 @@ def test_signed_query_added_timestamp_params_not_dict(self, time_time_mock):
         self.assertEqual(qsd['ts'], ['123'])
         self.assertEqual(qsd['foo'], ['bar'])
 
+    def test_signed_query_keep_duplicate_signature(self):
+        params = {'foo': 'bar', 'ts': 123, 'hmac': 'blub'}
+        url = 'https://endpoint.com/api'
+        secret = 'secret'
+
+        qs = utils.signed_query(secret, params, url)
+        qsd = parse_qs(qs)
+
+        self.assertEqual(qsd['ts'], ['123'])
+        self.assertEqual(qsd['foo'], ['bar'])
+        self.assertEqual(qsd['hmac'], ['blub', 'af319e7ec1b7f50e054ed934f22b05bd9ff58d7783da2549efba86c1'])
+
     def test_signed_url(self):
         params = {'foo': 'bar'}
         url = utils.signed_url(
