From 50f13d628800c50986856045f95001fb6fdf9109 Mon Sep 17 00:00:00 2001
From: Edgar Lin <edgarlin2000@gmail.com>
Date: Tue, 28 Oct 2025 15:21:14 -0700
Subject: [PATCH] enforce alphabetical json dumping of message for signature
 verification

---
 lib/backend.py    | 2 +-
 lib/data_types.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/backend.py b/lib/backend.py
index 77c13fa..0d25a00 100644
--- a/lib/backend.py
+++ b/lib/backend.py
@@ -296,7 +296,7 @@ class Backend:
         elif message in self.msg_history:
             log.debug(f"message: {message} already in message history")
             return False
-        elif verify_signature(json.dumps(message, indent=4), auth_data.signature):
+        elif verify_signature(json.dumps(message, indent=4, sort_keys=True), auth_data.signature):
             self.reqnum = max(auth_data.reqnum, self.reqnum)
             self.msg_history.append(message)
             self.msg_history = self.msg_history[-MSG_HISTORY_LEN:]
diff --git a/lib/data_types.py b/lib/data_types.py
index ceadfed..77883c5 100644
--- a/lib/data_types.py
+++ b/lib/data_types.py
@@ -65,12 +65,12 @@ class ApiPayload(ABC):
 class AuthData:
     """data used to authenticate requester"""
 
-    signature: str
     cost: str
     endpoint: str
     reqnum: int
-    url: str
     request_idx: int
+    signature: str
+    url: str
 
     @classmethod
     def from_json_msg(cls, json_msg: Dict[str, Any]):