ACL should be escaped by the API.

Author: Amir Tocker

lib/cloudinary/auth_token.rb

@@ -21,8 +21,8 @@ def generate_auth_token(options = {})
         duration = options[:duration]
         url = options[:url]
         start = Time.new.getgm.to_i if start == 'now'
-        unless expiration
-          if duration
+        if expiration.nil? || expiration == 0
+          if !(duration.nil? || duration == 0)
             expiration = (start || Time.new.getgm.to_i) + duration
           else
             throw 'Must provide either expiration or duration'
@@ -33,17 +33,19 @@ def generate_auth_token(options = {})
         token << "ip=#{ip}" if ip
         token << "st=#{start}" if start
         token << "exp=#{expiration}"
-        token << "acl=#{acl}" if acl
+        token << "acl=#{escape_to_lower(acl)}" if acl
         to_sign = token.clone
-        if url
-          url = CGI::escape(url).gsub(/%../){|h| h.downcase}
-          to_sign << "url=#{url}"
-        end
+        to_sign << "url=#{escape_to_lower(url)}" if url
         auth = digest(to_sign.join(SEPARATOR), key)
         token << "hmac=#{auth}"
         "#{name}=#{token.join(SEPARATOR)}"
       end
 
+      # escape URI pattern using lowercase hex. For example "/" -> "%2f".
+      def escape_to_lower(url)
+        CGI::escape(url).gsub(/%../) { |h| h.downcase }
+      end
+
       private
 
       def digest(message, key)

lib/cloudinary/utils.rb

@@ -320,7 +320,7 @@ def self.unsigned_download_url(source, options = {})
     if options[:auth_token] == false
       auth_token = false
     else
-      auth_token = Cloudinary.config.auth_token.to_h.merge { options[:auth_token].to_h }
+      auth_token = Cloudinary.config.auth_token.to_h.merge(  options[:auth_token].to_h )
     end
 
     original_source = source

spec/auth_token_spec.rb

@@ -10,7 +10,7 @@
     @url_backup = ENV["CLOUDINARY_URL"]
   end
   before do
-    Cloudinary.config_from_url "cloudinary://a:b@test123?load_strategies=false"
+    Cloudinary.config_from_url "cloudinary://a:b@test123"
     Cloudinary.config.auth_token = { :key => KEY, :duration => 300, :start_time => 11111111 }
   end
   after do
@@ -19,7 +19,7 @@
   end
   it "should generate with start and duration" do
     token = Cloudinary::Utils.generate_auth_token :start_time => 1111111111, :acl => "/image/*", :duration => 300
-    expect(token).to eq '__cld_token__=st=1111111111~exp=1111111411~acl=/image/*~hmac=0854e8b6b6a46471a80b2dc28c69bd352d977a67d031755cc6f3486c121b43af'
+    expect(token).to eq '__cld_token__=st=1111111111~exp=1111111411~acl=%2fimage%2f%2a~hmac=0d5b0c9c1485ee162c459879fe62e06caa23bc26fec92d58bd100f2e1592eac6'
   end
 
   describe "authenticated url" do
@@ -58,14 +58,18 @@
       expect(url).to eq("http://test123-res.cloudinary.com/image/authenticated/v1486020273/sample.jpg?__cld_token__=st=11111111~exp=11111411~hmac=8db0d753ee7bbb9e2eaf8698ca3797436ba4c20e31f44527e43b6a6e995cfdb3")
 
     end
+    it "should throw if expiration and duration are not provided" do
+      token = { :key => KEY, :expiration => 0, :duration => 0 }
+      expect{Cloudinary::Utils.generate_auth_token(token)}.to raise_exception
+    end
   end
   describe "authentication token" do
     it "should generate token string" do
       user                      = "foobar" # we can't rely on the default "now" value in tests
       tokenOptions              = { :key => KEY, :duration => 300, :acl => "/*/t_#{user}" }
       tokenOptions[:start_time] = 222222222 # we can't rely on the default "now" value in tests
       cookieToken               = Cloudinary::Utils.generate_auth_token tokenOptions
-      expect(cookieToken).to eq("__cld_token__=st=222222222~exp=222222522~acl=/*/t_foobar~hmac=eb5e2266c8ec9573f696025f075b92998080347e1c12ac39a26c94d7d712704a")
+      expect(cookieToken).to eq("__cld_token__=st=222222222~exp=222222522~acl=%2f%2a%2ft_foobar~hmac=1284376353c1c43d6f6a98f2813c5596f4ff6f34d837cd853fd8c3c9e7f8428c")
 
     end
   end