check signature on redirect will extend matching leadID for oneday, as user might editing their info again and again within one day.

crmpixel.go

 //redirect user to a URL "/pages/dashboard"
 //
 func setTrackingCookieAndRecirect(w http.ResponseWriter, r *http.Request) {
-
-	//check signature and then perform redirect
-	if !checkSignatureByToken(r, IntraAPIConfig.CRMSecrete) {
-		response403Handler(w)
-		return
-	}
-
 	m, err := url.ParseQuery(r.URL.RawQuery)
 	if err != nil {
 		response400Handler(w)
 		return
 	}
 
-	//set cookie if any
+	//check request leadID - lid and my cookie lead id
 	leadID, ok := m["lid"]
+	myLeadID, found := getLeadIDFromCookie(r) //existing cookie
+
+	expireInSeconds := 120                    //default 2minute
+	if found && ok && myLeadID == leadID[0] { //our cookie match the request lid
+		expireInSeconds = 86400 //extended to 1 day
+	}
+
+	//check signature, prevent unauthorized request
+	if !checkSignatureByTokenWithExpireSeconds(r, IntraAPIConfig.CRMSecrete, expireInSeconds) {
+		response403Handler(w)
+		return
+	}
+
+	//set cookie if any
 	if ok {
 		log.Println("setlead cookie :" + leadID[0])
 		cookie := cookieFromLeadID(leadID[0])

server.go

 	return checkSignatureByToken(r, APIConfig.Token)
 }
 
-func checkSignatureByToken(r *http.Request, token string) bool {
+func checkSignatureByTokenWithExpireSeconds(r *http.Request, token string, expireSeconds int) bool {
 	rq := r.URL.RawQuery
 	m, _ := url.ParseQuery(rq)
 
 	nonce, nok := m["nonce"]
 	token = strings.TrimSpace(token)
 	if sok && tok && nok && token != "" {
-		return verifySignature(signature[0], timestamp[0], nonce[0], token)
+		return verifySignature(signature[0], timestamp[0], nonce[0], token, expireSeconds)
 	}
 	return false
 }
 
-func checkCookieSignatureBytoken(r *http.Request, token string) bool {
-	signature := ""
-	nonce := ""
-	timestamp := ""
-	for _, c := range r.Cookies() {
-		switch c.Name {
-		case "signature":
-			signature = c.Value
-		case "nonce":
-			nonce = c.Value
-		case "timestamp":
-			timestamp = c.Value
-		}
-	}
-	if signature != "" && nonce != "" && timestamp != "" && token != "" {
-		return verifySignature(signature, timestamp, nonce, IntraAPIConfig.CRMSecrete)
-	}
-	return false
+func checkSignatureByToken(r *http.Request, token string) bool {
+	return checkSignatureByTokenWithExpireSeconds(r, token, 180) //180=3minutes
 }
 
-func verifySignature(signature, timestamp, nonce, token string) bool {
-	if timestampTooOldStr(timestamp) {
+// func checkCookieSignatureBytoken(r *http.Request, token string) bool {
+// 	signature := ""
+// 	nonce := ""
+// 	timestamp := ""
+// 	for _, c := range r.Cookies() {
+// 		switch c.Name {
+// 		case "signature":
+// 			signature = c.Value
+// 		case "nonce":
+// 			nonce = c.Value
+// 		case "timestamp":
+// 			timestamp = c.Value
+// 		}
+// 	}
+// 	if signature != "" && nonce != "" && timestamp != "" && token != "" {
+// 		return verifySignature(signature, timestamp, nonce, IntraAPIConfig.CRMSecrete, expireSeconds)
+// 	}
+// 	return false
+// }
+
+func verifySignature(signature, timestamp, nonce, token string, expireSeconds int) bool {
+	if timestampTooOldStr(timestamp, expireSeconds) {
 		return false
 	}
 	return signature == calculateSignature(timestamp, nonce, token)
 	return calculated
 
 }
-func timestampTooOldStr(timestamp string) bool {
+func timestampTooOldStr(timestamp string, expireSeconds int) bool {
 	ts, err := strconv.Atoi(timestamp)
 	if err != nil {
 		return true
 	}
-	return timestampTooOld(int32(ts))
+	return timestampTooOld(int32(ts), expireSeconds)
 }
 
-func timestampTooOld(ts int32) bool {
+func timestampTooOld(ts int32, expireSeconds int) bool {
 	//diff > 3min from now
 	now := int32(time.Now().Unix())
 	diff := now - ts
 	if diff < 0 {
 		diff = -diff
 	}
-	return diff > 180 //3 minutes, 180 seconds
+	return diff > int32(expireSeconds) //3 minutes, 180 seconds
 }
 
 func timestampOldThan(ts int32, sec int32) bool {