Code Room
CodingHardcod-g1120
Subject CryptographyLevel Senior–Staff~30 minCommon in Security interviewsIndustries Software development

Question

Verify a capability token of the form 'resource|action|expiry|sig' where sig is the lowercase hex HMAC-SHA256, keyed by a server secret, over the exact byte string 'resource|action|expiry' (the part before the final '|'). Given the secret (str), the token (str), the requested resource, the requested action, and the current time 'now' (int), return True only if: the token has exactly 4 pipe-delimited fields, the HMAC matches under constant-time comparison, the token's resource and action equal the requested ones, and int(expiry) > now. Return False on any malformed field or mismatch.

Implement
verify_capability(secret: str, token: str, resource: str, action: str, now: int) → bool
Examples
in["s3cr3t","doc:42|read|2000|caecb2bb4ad07ff4983dfa598fdc7dfabed36c4a5cba0d0e11bad5d2955ba9c3","doc:42","read",1500]outtrue
What a strong answer looks like

State your approach and its time/space complexity out loud before you optimize. Handle the edge cases (empty input, duplicates, overflow), and say why you chose this over the brute force. Green tests are the floor, not the grade.

Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.

Run or narrate your approach, then ask the coach.