I'm having trouble with the all-too-common oAuth "invalid signature" issue.
My language is PHP the API I'm trying to interact with is Flickr.
My goal is to call the flickr.contacts.getList method. I'm able to call this method without any problems, as long as I don't pass any arguments with my API call. As soon as I add in an argument (e.g., page), my oAuth signature gets invalidated.
For the most part, I'm leveraging someone else's code to do just about everything (see this blog post). As a result, I don't fully understand how the oAuth signature is getting built and how it is also getting invalidated. This is where I need some help.
The code directly below WORKS just fine. Note that I am NOT passing the page argument.
$mt = microtime();
$rand = mt_rand();
$oauth_nonce = md5($mt . $rand);
$nonce = $oauth_nonce;
$sig_method = "HMAC-SHA1";
$timestamp = gmdate('U');
$oversion = "1.0";
$request_token_url = 'http://api.flickr.com/services/rest';
$basestring = "format=json&method=flickr.contacts.getList&nojsoncallback=1&oauth_consumer_key=".$consumer_key."&oauth_nonce=".$nonce."&oauth_signature_method=".$sig_method."&oauth_timestamp=".$timestamp."&oauth_token=".$oauth_key."&oauth_version=".$oversion;
$baseurl = "GET&".urlencode($request_token_url)."&".urlencode($basestring);
$hashkey = $consumer_secret."&".$oauth_secret;
$oauth_signature = base64_encode(hash_hmac('sha1', $baseurl, $hashkey, true));
$fields = array
(
'method'=>'flickr.contacts.getList',
'oauth_nonce'=>$nonce,
'oauth_timestamp'=>$timestamp,
'oauth_consumer_key'=>$consumer_key,
'oauth_signature_method'=>$sig_method,
'oauth_version'=>$oversion,
'oauth_signature'=>$oauth_signature,
'nojsoncallback'=>'1',
'format'=>'json',
);
$fields_string = "";
foreach($fields as $key=>$value)
{
$fields_string .= "$key=".urlencode($value)."&";
}
$fields_string = rtrim($fields_string,'&');
$url = $request_token_url."?".$fields_string;
#Make Flickr API call.
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);
curl_close($ch);
The code directly below DOES NOT WORK, as I get an "invalid signature" response from Flickr. Note that this time I am passing the page argument.
$mt = microtime();
$rand = mt_rand();
$oauth_nonce = md5($mt . $rand);
$nonce = $oauth_nonce;
$sig_method = "HMAC-SHA1";
$timestamp = gmdate('U');
$oversion = "1.0";
$request_token_url = 'http://api.flickr.com/services/rest';
$basestring = "format=json&method=flickr.contacts.getList&page=1&nojsoncallback=1&oauth_consumer_key=".$consumer_key."&oauth_nonce=".$nonce."&oauth_signature_method=".$sig_method."&oauth_timestamp=".$timestamp."&oauth_token=".$oauth_key."&oauth_version=".$oversion;
$baseurl = "GET&".urlencode($request_token_url)."&".urlencode($basestring);
$hashkey = $consumer_secret."&".$oauth_secret;
$oauth_signature = base64_encode(hash_hmac('sha1', $baseurl, $hashkey, true));
$fields = array
(
'method'=>'flickr.contacts.getList',
'oauth_nonce'=>$nonce,
'page'=>'1',
'oauth_timestamp'=>$timestamp,
'oauth_consumer_key'=>$consumer_key,
'oauth_signature_method'=>$sig_method,
'oauth_version'=>$oversion,
'oauth_token'=>$oauth_key,
'oauth_signature'=>$oauth_signature,
'nojsoncallback'=>'1',
'format'=>'json',
);
$fields_string = "";
foreach($fields as $key=>$value)
{
$fields_string .= "$key=".urlencode($value)."&";
}
$fields_string = rtrim($fields_string,'&');
$url = $request_token_url."?".$fields_string;
#Make Flickr API call.
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);
curl_close($ch);
The only difference between the first and the second code sample is that I have added in an argument. I've done lots of testing, and this issue has nothing to do with the order in which the argument is passed (order doesn't seem to affect the signature). In addition, I've tried other Flickr API methods, and they all exhibit the same behavior (so this issue is not specific to this particular Flickr method).
I figured it out. Order does matter.
In the example above, to add on the page argument, you must add it on at the end of the $basestring variable, like so:
$basestring = "format=json&method=flickr.contacts.getList&page=1&nojsoncallback=1&oauth_consumer_key=".$consumer_key."&oauth_nonce=".$nonce."&oauth_signature_method=".$sig_method."&oauth_timestamp=".$timestamp."&oauth_token=".$oauth_key."&oauth_version=".$oversion."$page=1";
Order does not seem to matter when defining the $fields array.
Related
I am trying to integrate zoho with my web app. I am making an api call to get a particular invoice. The call as per documentation is
'https://books.zoho.com/api/v3/invoices/INV_ID?organization_id=XXXXXXXX'
This works fine as well. But when I set a variable for INVOICE ID, it returns all the invoices. (200 INVOICES) The call is below.
'https://books.zoho.com/api/v3/invoices/' .$inv_id. '?organization_id=XXXXXXXX';
where I am making the mistake? The method is below.
$zid = '';
if(isset($_POST['_zid'])){
$zid = $_POST['_zid'];
}
get_invoice($access_token, $zid);
function get_invoice($access_token, $zid){
$invid = $zid;
$service_url = $GLOBALS['service_url'] . 'https://books.zoho.com/api/v3/invoices/' .$invid. '?organization_id=XXXXXXXXX';
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_URL, $service_url);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Authorization: Zoho-oauthtoken '. $access_token,
'Content-Type: "application/json"'));
$res = curl_exec($ch);
curl_close($ch);
$dec_res = array();
$dec_res = json_decode($res, true);
print_r($dec_res);
}
Everything is fine except a small thing. I didn't think of Array Declaration. The working call is straightly given an integer as the invoice_id. when I pass the variable declared as a string. so although the digits it is counted as a string which makes the call invalid.
//THIS WILL DO THE TRICK
$zid = 0;
if(isset($_POST['_zid'])){
$zid = $_POST['_zid'];
}
I'm trying to use the Gravity Forms Web API to update an entry, this is the php code I have at the moment.
<?php
$api_key = '';
$private_key = '';
$method = 'PUT';
$endpoint = 'https://www.website.co.uk/gravityformsapi/';
//$route = 'entries';
$route = 'entries/61';
$expires = strtotime('+60 mins');
$string_to_sign = sprintf('%s:%s:%s:%s', $api_key, $method, $route, $expires);
$sig = calculate_signature($string_to_sign, $private_key);
$api_call = $endpoint.$route.'?api_key='.$api_key.'&signature='.$sig.'&expires='.$expires;
//array of entries (each entry is an array with key=field id)
$entries = array(
array("status"=>"active","1.3"=>$_POST['first_name'],)
);
$ch = curl_init($api_call);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($entries));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, 1);
$result = curl_exec($ch);
function calculate_signature($string, $private_key) {
$hash = hash_hmac("sha1", $string, $private_key, true);
$sig = rawurlencode(base64_encode($hash));
return $sig;
};
?>
The response I'm getting is that is successfully updated the post, but instead of updating the post, it seems to delete the post. Can anyone see anything wrong with my code? If I refresh the page of the entry I edited on Wordpress I get this error.
Fatal error: Cannot use object of type WP_Error as array in /data02/c6536622/public_html/wp-content/plugins/gravityforms/entry_detail.php on line 57
Is there anyway to get a log to find out what's going wrong using Gravity Forms, or WordPress?
As you're updating a single entry just send the one entry instead of the collection. Also, send the whole entry or you'll end up deleting all the values for the missing fields.
I am currently using the following code:
<?php
/* Pre-requisite: Download the required PHP OAuth class from http://oauth.googlecode.com/svn/code/php/OAuth.php. This is used below */
require("OAuth.php");
$url = "https://yboss.yahooapis.com/geo/placespotter";
$cc_key = "MY_KEY";
$cc_secret = "MY_SECRET";
$text = "EYES ON LONDON Electric night in 100-meter dash";
$args = array();
$args["documentType"] = urlencode("text/plain");
$args["documentContent"] = urlencode($text);
$consumer = new OAuthConsumer($cc_key, $cc_secret);
$request = OAuthRequest::from_consumer_and_token($consumer, NULL,"POST", $url,$args);
$request->sign_request(new OAuthSignatureMethod_HMAC_SHA1(), $consumer, NULL);
$url = sprintf("%s?%s", $url, OAuthUtil::build_http_query($args));
$ch = curl_init();
$headers = array($request->to_header());//.',Content-Length: '.strlen($text));
//print_r($headers.',Content-Length: '.strlen($text));
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
// somehow this line is not solving the issue
// curl_setopt($ch,CURLOPT_HTTPHEADER,array('Content-Length:'.strlen($text)));
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$rsp = curl_exec($ch);
print_r($rsp);
//echo "======= ENDING";
?>
With my own access keys and all, with the OAuth.php library.
Somehow I kept getting a Content-Length undefined error.
If I were to attempt to define Content-Length like this ( based on some answers seen here on StackOverFlow:
curl_setopt($ch,CURLOPT_HTTPHEADER,array('Content-Length:'.strlen($text)));
I do not get any response.
May I know how can this issue be solved?
Thanks!
PS: the php example comes from the official example: https://gist.github.com/ydn/bcf8b301125c8ffa986f#file-placespotter-php
LATEST EDIT
I've updated my code based on #alexblex's comment
<?php
/* Pre-requisite: Download the required PHP OAuth class from http://oauth.googlecode.com/svn/code/php/OAuth.php. This is used below */
require("OAuth.php");
$url = "https://yboss.yahooapis.com/geo/placespotter";
$cc_key = "MY_KEY";
$cc_secret = "MY_SECRET";
$text = "EYES ON LONDON Electric from Singapore Raffles Place";
$args = array();
$args["documentType"] = urlencode("text/plain");
$args["documentContent"] = urlencode($text);
$args["outputType"] = "json";
$consumer = new OAuthConsumer($cc_key, $cc_secret);
$request = OAuthRequest::from_consumer_and_token($consumer, NULL,"PUT", $url, $args);
$request->sign_request(new OAuthSignatureMethod_HMAC_SHA1(), $consumer, NULL);
$url = sprintf("%s?%s", $url, OAuthUtil::build_http_query($args));
$ch = curl_init();
$headers = array($request->to_header());//.',Content-Length: '.strlen($text));
//$headers = array($request->to_header().',Content-Length="'.strlen($text).'"');
//$headers = array($request->to_header().',Content-Length: 277');
print_r($headers);
//print_r($headers.',Content-Length: '.strlen($text));
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request->to_postdata());
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$rsp = curl_exec($ch);
echo "\n\n\n\n";
var_dump($rsp);
//print_r($rsp);
?>
Currently, this new code returns a
{"bossresponse":{"responsecode":"500","reason":"non 200 status code
from backend: 415"}
error.
You send no POST data, hence no Content-Length being sent. To make a correct curl request you need to specify which data you like to send. In your case it is likely to be:
curl_setopt($ch, CURLOPT_POSTFIELDS, $request->to_postdata());
IF it should be a POST request. The PlaceSpotter docs reads:
The PlaceSpotter Web service supports only the HTTP PUT method. Other HTTP methods are not supported.
So I assume it should be PUT method instead:
$request = OAuthRequest::from_consumer_and_token($consumer, NULL,"PUT", $url,$args);
....
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
EDIT for 415 response code
It may be an issue with double urlencodeing.
Try to set arguments as unencoded text:
$args["documentType"] = "text/plain";
$args["documentContent"] = $text;
As per RFC-2616 Content-Type header indicates the size of the entity-body without headers. So if you would like to make POST requests without entity-body you should specify Content-Length: 0. Give this a try.
I have little trouble when i try to use bitcoin exchange API via python.
I have example function in PHP:
function bitmarket_api($method, $params = array())
{
$key = "my_key";
$secret = "my_secret";
$params["method"] = $method;
$params["tonce"] = time();
$post = http_build_query($params, "", "&");
$sign = hash_hmac("sha512", $post, $secret);
$headers = array(
"API-Key: " . $key,
"API-Hash: " . $sign,
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_URL, "https://www.bitmarket.pl/api2/");
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
$ret = curl_exec($curl);
return json_decode($ret);
}
And it is my python implementation:
def bitmarket_api(method, params):
key = 'my_key'
secret = 'my_secret'
url = 'https://www.bitmarket.pl/api2/'
params['method'] = method
params['tonce'] = timestamp()
post = urllib.urlencode(params)
sign = base64.b64encode(str(HMAC(secret, post, sha512).digest()))
headers = {}
headers['API-Key:'] = key
headers['API-Hash:'] = sign
req = urllib2.Request(url, post, headers)
res = urllib2.urlopen(req, post)
return json.load(res)
So, when i try to to invoke info method (or other method) i get 'Invalid API key' error.
I was looking for solution, and i was trying several other approach with no succes.
Can u guys help me? I think problem can be in headers...
Please excuse my poor English. I try to do my best, but I'm still making mistakes.
Use the Python HMAC Auth lib with Requests lib
https://github.com/bazaarvoice/python-hmac-auth
Nice and tidy to let your build your client without too much trouble.
I'm having a lot of trouble integrating Sagepay InFrame Server with PHP, as there are no integration kits available for the new protocol (v3). I have the old kits for v2.23 but much of the code therein is deprecated.
At the moment the only way i have been successful in retrieving an OK status from the Sagepay Server servers is to have a form with the collection of hidden values required by Sagepay, including the cryptography field, and using the server URL as the form action. This gives me a status of 'OK' and the SecurityKey etc in the browser tab, but its not much use in the browser tab as i need that POST response back on my server, not on theirs.
For this i opted for curl. I hold the return values for curl_exec in a variable called $rawresponse, and dump the response after each attempt, and as it stands $rawresponse is returning as a false boolean:
$curlSession = curl_init();
curl_setopt ($curlSession, CURLOPT_URL, $url);
curl_setopt ($curlSession, CURLOPT_HEADER, 0);
curl_setopt ($curlSession, CURLOPT_POST, 1);
$data['Crypt'] = new CurlFile('filename.png', 'image/png', 'filename.png');
curl_setopt ($curlSession, CURLOPT_POSTFIELDS, $data);
curl_setopt($curlSession, CURLOPT_RETURNTRANSFER,1);
curl_setopt($curlSession, CURLOPT_TIMEOUT,30);
curl_setopt($curlSession, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, 0);
$rawresponse = curl_exec($curlSession);
Now as you can see here I am having to force the Crypt value to be of type CurlFile, which is what i think is breaking the request, however if i dont do that i get the following error:
"The usage of the #filename API for file uploading is deprecated. Please use the CURLFile class instead"
I can only ascertain from this that the cryptography is being mistaken for a file (possibly because the string starts with #), and to counter this im trying to force it to be an image.
So my question is this - is there a particular way to use CurlFile so cryptography strings can be understood? Is there a better way of integrating this functionality with Sagepay that anyone knows about? It really is a very confusing system, and the good documentation is let down by a complete lack of example.
Apologies for this, I was building the string the wrong way. Just in case anyone has a similar problem in the future i'll paste the code that works for me:
public function registerTransaction()
{
$VPSProtocol = urlencode($_POST['VPSProtocol']);
$TxType = urlencode($_POST['TxType']);
$Vendor = urlencode($_POST['Vendor']);
$VendorTxCode = urlencode($_POST['VendorTxCode']);
$Currency = urlencode($_POST['Currency']);
$Amount = urlencode($_POST['Amount']);
$NotificationURL = urlencode($_POST['NotificationURL']);
$Description = urlencode($_POST['Description']);
$BillingSurname = urlencode($_POST['BillingSurname']);
$BillingFirstnames = urlencode($_POST['BillingFirstnames']);
$BillingAddress1 = urlencode($_POST['BillingAddress1']);
$BillingCity = urlencode($_POST['BillingCity']);
$BillingPostCode = urlencode($_POST['BillingPostCode']);
$BillingCountry = urlencode($_POST['BillingCountry']);
$DeliverySurname = urlencode($_POST['DeliverySurname']);
$DeliveryFirstnames = urlencode($_POST['DeliveryFirstnames']);
$DeliveryAddress1 = urlencode($_POST['DeliveryAddress1']);
$DeliveryCity = urlencode($_POST['DeliveryCity']);
$DeliveryPostCode = urlencode($_POST['DeliveryPostCode']);
$DeliveryCountry = urlencode($_POST['DeliveryCountry']);
$url = "?VPSProtocol=" . $VPSProtocol;
$url .= "&TxType=" . $TxType;
$url .= "&Vendor=" . $Vendor;
$url .= "&VendorTxCode=" . $VendorTxCode;
$url .= "&Currency=" . $Currency;
$url .= "&Amount=" . $Amount;
$url .= "&NotificationURL=" . $NotificationURL;
$url .= "&Description=" . $Description;
$url .= "&BillingSurname=" . $BillingSurname;
$url .= "&BillingFirstnames=" . $BillingFirstnames;
$url .= "&BillingAddress1=" . $BillingAddress1;
$url .= "&BillingCity=" . $BillingCity;
$url .= "&BillingPostCode=" . $BillingPostCode;
$url .= "&BillingCountry=" . $BillingCountry;
$url .= "&DeliverySurname=" . $DeliverySurname;
$url .= "&DeliveryFirstnames=" . $DeliveryFirstnames;
$url .= "&DeliveryAddress1=" . $DeliveryAddress1;
$url .= "&DeliveryCity=" . $DeliveryCity;
$url .= "&DeliveryPostCode=" . $DeliveryPostCode;
$url .= "&DeliveryCountry=" . $DeliveryCountry;
$strPurchaseURL = "https://test.sagepay.com/gateway/service/vspserver-register.vsp";
$arrResponse = $this->requestPost($strPurchaseURL, $url);
dd($arrResponse);
}
public function requestPost($url, $data){
// Set a one-minute timeout for this script
set_time_limit(60);
// Initialise output variable
$output = array();
// Open the cURL session
$curlSession = curl_init();
curl_setopt ($curlSession, CURLOPT_URL, $url);
curl_setopt ($curlSession, CURLOPT_HEADER, 0);
curl_setopt ($curlSession, CURLOPT_POST, 1);
curl_setopt ($curlSession, CURLOPT_POSTFIELDS, $data);
curl_setopt($curlSession, CURLOPT_RETURNTRANSFER,1);
curl_setopt($curlSession, CURLOPT_TIMEOUT,30);
curl_setopt($curlSession, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, 2);
$rawresponse = curl_exec($curlSession);
dd($rawresponse);
//Store the raw response for later as it's useful to see for integration and understanding
$_SESSION["rawresponse"]=$rawresponse;
//Split response into name=value pairs
$response = preg_split(chr(10), $rawresponse);
// Check that a connection was made
if (curl_error($curlSession)){
// If it wasn't...
$output['Status'] = "FAIL";
$output['StatusDetail'] = curl_error($curlSession);
}
// Close the cURL session
curl_close ($curlSession);
// Tokenise the response
for ($i=0; $i<count($response); $i++){
// Find position of first "=" character
$splitAt = strpos($response[$i], "=");
// Create an associative (hash) array with key/value pairs ('trim' strips excess whitespace)
$output[trim(substr($response[$i], 0, $splitAt))] = trim(substr($response[$i], ($splitAt+1)));
} // END for ($i=0; $i<count($response); $i++)
// Return the output
return $output;
} // END function requestPost()