I'm trying to use the Gigya's Comment Notification functionality and I've followed the guidelines at:
http://developers.gigya.com/010_Developer_Guide/18_Plugins/022_Comments_Version_2/Comment_Notifications
I've developed the following code:
<?php
require_once('GSSDK.php');
$event = $_POST['event'];
$eventData = $_POST['eventData'];
$nonce = $_POST['nonce'];
$timestamp = $_POST['timestamp'];
$signature = $_POST['signature'];
$signatureBase = sprintf("%s_%s_%s_%s", $event, $eventData, $nonce, $timestamp);
$expectedSignature = SigUtils::calcSignature(
$signatureBase,
MY_SECRET_KEY);
if($signature !== $expectedSignature) {
header('HTTP/1.0 403 Forbidden');
die();
}
//Some other stuff
exit();
?>
But it never gets to the "//Some other stuff" part.
Always the expected signature differs from the signature provided by the Gigya's server.
What am I doing wrong?
Try the following code instead:
<?php
static function calcSignature($baseString,$key)
{
$baseString = utf8_encode($baseString);
$rawHmac = hash_hmac("sha1", utf8_encode($baseString), base64_decode($key), true);
$sig = base64_encode($rawHmac);
return $sig;
}
function checkSignature()
{
$event = $_POST["event"];
$eventData = $_POST["eventData"];
$nonce = $_POST["nonce"];
$timestamp = $_POST["timestamp"];
$signature = $_POST["signature"];
$signatureBase = $event . "_" . $eventData . "_" . $nonce . "_" . $timestamp;
$secret = "[your gigya secret key]";
$expectedSignature = calcSignature($signatureBase, $secret);
// Now compare the expectedSignature value to the signature value returned in the callback
if ($signature !== $expectedSignature)
{
header('HTTP/1.0 403 Forbidden');
die();
}
}
checkSignature();
//Some other stuff
exit();
?>
This code removes the dependency on GigyaSDK just to check the signature. The method provided is the same method that the GigyaSDK uses, but the advantage here is that this is a much smaller memory footprint since the entire GigyaSDK does not need to be loaded.
Additionally, I'm not sure if it was intentional, but your comparison has the code:
if(!$signature !== $expectedSignature) {
Instead of:
if ($signature !== $expectedSignature) {
I'm not quite sure what the purpose of the extraneous logical-NOT operator on $signature is supposed to accomplish, but it seems like this would cause unexpected behavior.
Related
I'm making app-to-phone app using Sinch.
I'm successfully providing the callback for ICE and ACE event without request signin.
But now, when I try to sign the request to make it more secure, it always fails to meet the requirement
I get my code from here : Trouble with authorization request
It works when I try to use data and application key from https://www.sinch.com/using-rest/#callbackrequestsigning
But when I try to use real data, it always fail.
$key = "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx";
$secret = 'my-app-secret';
$body = $request->getContent();
$timestamp = $request->input('timestamp');
$path = '/sinch/callback/' . $callbackType;
$content_type = "application/json";
$canonicalized_headers = "x-timestamp:" . $timestamp;
$content_md5 = base64_encode( md5( utf8_encode($body), true ));
$string_to_sign =
"POST\n".
$content_md5."\n".
$content_type."\n".
$canonicalized_headers."\n".
$path;
$signature = base64_encode(hash_hmac("sha256", utf8_encode($string_to_sign), base64_decode($secret), true));
$authorizationHeader = $request->header('Authorization');
$sinchAuthorizationHeader = str_replace('Application ', '', $authorizationHeader);
$sinchAuthorizationHeader = explode(':', $sinchAuthorizationHeader);
if($sinchAuthorizationHeader[0] == $key && $signature == $sinchAuthorizationHeader[1]) {
return true;
}
return false;
Any help would be appreciated.
There are a few libraries for implementing JSON Web Tokens (JWT) in PHP, such as php-jwt. I am writing my own, very small and simple class but cannot figure out why my signature fails validation here even though I've tried to stick to the standard. I've been trying for hours and I'm stuck. Please help!
My code is simple
//build the headers
$headers = ['alg'=>'HS256','typ'=>'JWT'];
$headers_encoded = base64url_encode(json_encode($headers));
//build the payload
$payload = ['sub'=>'1234567890','name'=>'John Doe', 'admin'=>true];
$payload_encoded = base64url_encode(json_encode($payload));
//build the signature
$key = 'secret';
$signature = hash_hmac('SHA256',"$headers_encoded.$payload_encoded",$key);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";
echo $token;
The base64url_encode function:
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
My headers and payload perfectly match the validation site's default JWT, but my signature doesn't match so my token is flagged as invalid. This standard seems really straightforward so what's wrong with my signature?
I solved it! I did not realize that the signature itself needs to be base64 encoded. In addition, I needed to set the last optional parameter of the hash_hmac function to $raw_output=true (see the docs. In short I needed to change my code from the original:
//build the signature
$key = 'secret';
$signature = hash_hmac('sha256',"$headers_encoded.$payload_encoded",$key);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";
To the corrected:
//build the signature
$key = 'secret';
$signature = hash_hmac('sha256',"$headers_encoded.$payload_encoded",$key,true);
$signature_encoded = base64url_encode($signature);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature_encoded";
echo $token;
If you want to solve it using RS256 (instead of HS256 like OP) you can use it like this:
//build the headers
$headers = ['alg'=>'RS256','typ'=>'JWT'];
$headers_encoded = base64url_encode(json_encode($headers));
//build the payload
$payload = ['sub'=>'1234567890','name'=>'John Doe', 'admin'=>true];
$payload_encoded = base64url_encode(json_encode($payload));
//build the signature
$key = "-----BEGIN PRIVATE KEY----- ....";
openssl_sign("$headers_encoded.$payload_encoded", $signature, $key, 'sha256WithRSAEncryption');
$signature_encoded = base64url_encode($signature);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature_encoded";
echo $token;
Took me way longer than I'd like to admit
https://github.com/gradus0/appleAuth
look method $appleAuthObj->get_jwt_token()
<?php
include_once "appleAuth.class.php";
// https://developer.apple.com/account/resources/identifiers/list/serviceId -- indificator value
$clientId = ""; // com.youdomen
// your developer account id -> https://developer.apple.com/account/#/membership/
$teamId = "";
// key value show in -> https://developer.apple.com/account/resources/authkeys/list
$key = "";
// your page url where this script
$redirect_uri = ""; // example: youdomen.com/appleAuth.class.php
// path your key file, download file this -> https://developer.apple.com/account/resources/authkeys/list
$keyPath =''; // example: ./AuthKey_key.p8
try{
$appleAuthObj = new \appleAuth\sign($clientId,$teamId,$key,$redirect_uri,$keyPath);
if(isset($_REQUEST['code'])){
$jwt_token = $appleAuthObj->get_jwt_token($_REQUEST['code']);
$response = $appleAuthObj->get_response($_REQUEST['code'],$jwt_token);
$result_token = $this->read_id_token($response['read_id_token']);
var_dump($response);
var_dump($result_token);
}else{
$state = bin2hex(random_bytes(5));
echo "<a href='".$appleAuthObj->get_url($state)."'>sign</a>";
}
} catch (\Exception $e) {
echo "error: ".$e->getMessage();
}
I try to make private API requests for Yahoo. I used the code below but it does not work. It always returns the message 'invalid sig'.
Can you help me with a Two-legged OAuth Yahoo PHP example that works?
Thank you very much.
<?php // a super-stripped down 2-leg oauth server/client example
//http://oauth.net/code/
//http://oauth.googlecode.com/svn/code/php/OAuth.php
require 'oauth.php';
$key = 'key';
$secret = 'secret';
$consumer = new OAuthConsumer($key, $secret);
$sig_method = new OAuthSignatureMethod_HMAC_SHA1();
if ($_GET['server']) {
$method = $_SERVER['REQUEST_METHOD'];
$uri = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$sig = $_GET['oauth_signature'];
$req = new OAuthRequest($method, $uri);
// token is null because we're doing 2-leg
$valid = $sig_method->check_signature($req, $consumer, null, $sig);
if (!$valid) {
die('invalid sig');
}
echo 'orale!';
}
else {
// call this file
$api_endpoint = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];
// handle request in 'server' block above
$parameters = array(
'server' => 'true');
// use oauth lib to sign request
$req = OAuthRequest::from_consumer_and_token($consumer, null, "GET", $api_endpoint, $parameters);
$sig_method = new OAuthSignatureMethod_HMAC_SHA1();
$req->sign_request($sig_method, $consumer, null); // note: double entry of token
// get data using signed url
$ch = curl_init($req->to_url());
curl_exec($ch);
curl_close($ch);
}
Do you generate the signature according to the Yahoo specification here?
Or you can use plaintext signature as described here.
https://coinbase.com/api/v1/transactions/send_money?api_key=xxx
I have that URL but after the api_key paramter what comes next (I blocked out my API Key so people can't access my BTC)?
Can someone give me an example of how to properly use coinbase's send_money API?
I don't have a PHP environment handy to test this with but I think it would go like this:
Get their PHP library: https://github.com/coinbase/coinbase-php
<?php
require_once(dirname(__FILE__) . '/../lib/Coinbase.php');
// Create an application at https://coinbase.com/oauth/applications and set these values accordingly
$_CLIENT_ID = "83a481f96bf28ea4bed1ee8bdc49ba4265609efa40d40477c2a57e913c479065";
$_CLIENT_SECRET = "a8dda20b94d09e84e8fefa5e7560133d9c5af9da93ec1d3e79ad0843d2920bbb";
// Note: your redirect URL should use HTTPS.
$_REDIRECT_URL = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
$coinbaseOauth = new Coinbase_OAuth($_CLIENT_ID, $_CLIENT_SECRET, $_REDIRECT_URL);
if(isset($_GET['code'])) {
// Request tokens
$tokens = $coinbaseOauth->getTokens($_GET['code']);
// The user is now authenticated! Access and refresh tokens are in $tokens
// Store these tokens safely, and use them to make Coinbase API requests in the future.
// For example:
$coinbase = new Coinbase($coinbaseOauth, $tokens);
try {
echo 'Balance: ' . $coinbase->sendMoney($to, $amount, $notes=null, $userFee=null, $amountCurrency=null) . '<br>';
echo $coinbase->createButton("Alpaca socks", "10.00", "CAD")->embedHtml;
} catch (Coinbase_TokensExpiredException $e) {
$newTokens = $coinbaseOauth->refreshTokens($tokens);
// Store $newTokens and retry request
}
} else {
// Redirect to Coinbase authorization page
// The provided parameters specify the access your application will have to the
// user's account; for a full list, see https://coinbase.com/docs/api/overview
// You can pass as many scopes as you would like
echo "Connect with Coinbase";
}
Here is the send money code
public function sendMoney($to, $amount, $notes=null, $userFee=null, $amountCurrency=null)
{
$params = array( "transaction[to]" => $to );
if($amountCurrency !== null) {
$params["transaction[amount_string]"] = $amount;
$params["transaction[amount_currency_iso]"] = $amountCurrency;
} else {
$params["transaction[amount]"] = $amount;
}
if($notes !== null) {
$params["transaction[notes]"] = $notes;
}
if($userFee !== null) {
$params["transaction[user_fee]"] = $userFee;
}
return $this->post("transactions/send_money", $params);
}
My code was working just fine a couple days ago. Then, all of a sudden, BAM: it stopped working. My PUTs stopped going through, with a SignatureDoesNotMatch error. Help?
require_once 'Crypt/HMAC.php';
require_once 'HTTP/Request.php';
function uploadFile($path_to_file, $store_file_as, $bucket, $debugmode = false) {
$S3_URL = "http://s3.amazonaws.com/";
$filePath = $path_to_file;
$contentType = 'audio/mpeg';
$keyId = 'THISISMYKEY, YES I DOUBLE CHECKED IT';
$secretKey = 'THIS IS MYSECRET, YES I DOUBLED CHECKED IT';
$key = $store_file_as;
$resource = $bucket . "/" . $key;
$acl = "public-read";
$verb = "PUT";
$httpDate = gmdate("D, d M Y H:i:s T");
$stringToSign = "PUT\n\naudio/mpeg\n$httpDate\nx-amz-acl:$acl\n/$resource";
$hasher =& new Crypt_HMAC($secretKey, "sha1");
$str = $hasher->hash($stringToSign);
$raw = '';
for ($i=0; $i < strlen($str); $i+=2) {
$raw .= chr(hexdec(substr($str, $i, 2)));
}
$signature = base64_encode($raw);
$req =& new HTTP_Request($S3_URL . $resource);
$req->setMethod('PUT');
$req->addHeader("content-type", $contentType);
$req->addHeader("Date", $httpDate);
$req->addHeader("x-amz-acl", $acl);
$req->addHeader("Authorization", "AWS " . $keyId . ":" . $signature);
$req->setBody(file_get_contents($filePath));
$req->sendRequest();
echo $req->getResponseBody();
}
Run your signature against the Amazon S3 JavaScript signature tester.
If the two signatures do not match, you know something is wrong with the keys or signing procedure.
If the two match, your keys and signing process are correct and the problem is somewhere else.
The JS tester is invaluable for troubleshooting signature generation problems.