Coinbase API - Having trouble with the signature in API requests - http-post

I'm having trouble using the API to send money from one set account into another account via email address for off-chain transactions. There's probably a simple solution to this but I haven't found anything that has worked for me yet despite reading other questions here, basically whenever I make an API request to send money it has an error 401 saying invalid signature.
Following the instructions on the developers page I am making a POST request to the API, and am authenticating the request using an API Key. Everything seems to be working other than the HMAC sha256 signature.
For example let's say that my API key is abc123def456ghi0 and the API secret is 123qwertyuiopasdfghjklzxcvbnm456. Epoch time is 12345678, the method is of course POST, the email I want to send Bitcoin to is me#example.com, the amount is 0.00000015BTC and wallet/account ID is 2bbf394c-193b-5b2a-9155-3b4732659ede.
I make a POST request to https://api.coinbase.com/v2/accounts/2bbf394c-193b-5b2a-9155-3b4732659ede/transactions and set the body to type=send&to=me#example.com&amount=0.00000015&currency=BTC
This works fine, the issue I'm having is with the sha256 signature in the header. I'm able to set CB-ACCESS-KEY to abc123def456ghi0 and CB-ACCESS-TIMESTAMP to 12345678, and I'm able to create sha256 signatures easily and sign them with my secret key, I just think I'm putting the wrong text in
Now I have some variables:timestamp: 12345678method: POSTrequestPath: /v2/accounts/1dcea380-77e6-5fd4-8a5b-28c41be39a57/transactionsbody: type=send&to=me#example.com&amount=0.00000015&currency=BTC
On the developers page it says to join the timestamp, method, request path and body in the message. I'm doing this and signing it with my secret key but I still get an error. I'm just a hobbyist so don't have much experience, this is the message I have: 12345678POST/v2/accounts/2bbf394c-193b-5b2a-9155-3b4732659ede/transactionstype=send&to=me#example.com&amount=0.00000015&currency=BTC and then I sign it with my secret key 123qwertyuiopasdfghjklzxcvbnm456
There must be something simple I'm missing, I know all the variables are being joined properly so maybe I have a / somewhere there isn't supposed to be or maybe I need to switch something around, I just know there's a simple solution to this so if anyone could help it would be greatly appreciated.

Sorry - turns out my HMAC sha256 encoder was also encoding into base64. I have fixed this and now it is working.

Related

Login via hooks

I'm currently developing an application where holders can see historical data of their NFT's. All code is in place, but I'm still looking for a way to securely verify their ownership of a certain NFT.
There is the possibility to extend one of the dApp examples in the Elrond docs, but I'm not that familiair to React or NodeJS, so I'm trying to build this in PHP.
One thing I came across, is the login via Hooks, as used by the Maiar Exchange.
https://docs.elrond.com/wallet/webhooks/#login-hook
However, the Callback URL can be accessed manually by users, so this can give people Unauthorized access to my application.
Now, there is an undocumented extra parameter token I can pass to the Login hook (as used by Maiar Exchange). I know I can fetch a valid token by sending a POST request to 'https://id.maiar.com/api/v1/login/init'. This will give back a token I can append to the Callback URL. By doing so, the Callback URL will receive an appended signature parameter. I feel like I'm almost there, but the question is: How can I interpret this signature and how can I use this signature to verify if the returned response was valid and belongs to the given token/address? How was this signature is generated?
Also, I feel like it would be very nice if there was some sort of OAuth implementation for Elrond, but since it isn't there, I'm trying this approach.

Docusign login Bad Request

Using the Ruby DocuSign API I keep getting a bad request when executing the login code published on the Git readme and only providing the required parameters.
The response I am getting is:
ETHON: Libcurl initialized
ETHON: performed EASY effective_url=https://account-d.docusign.com/oauth/token response_code=400 return_code=ok total_time=0.436539
DocuSign_eSign::ApiError: Bad Request
from /home/dev/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/docusign_esign-1.0.0/lib/docusign_esign/api_client.rb:66:in `call_api'
from /home/dev/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/docusign_esign-1.0.0/lib/docusign_esign/api_client.rb:410:in `configure_jwt_authorization_flow
Any assistance would be greatly appreciated.
I actually had the same issue and I spoke to the person managing the Ruby API SDK:
https://github.com/docusign/docusign-ruby-client
It seems like what happened for me was that the user consent was missing a scope:
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=CLIENT_ID&redirect_uri=https://docusign.com
Originally I only had signature in my scope, as I was following the example on the documentation page.
Then I changed the user_id from email to the actual key. (It says email or key for the user ID on the admin dashboard but email didn't work for me)

Codeigniter restfull api with digest password Issue

I am using Restful api in CodeIgniter. Now I want to give api to third party, so I want to secure that api I am using digest, when I hit the api
in the browser a pop up comes which ask about username and password.
So I want to ask how to pass username and password in url to that it works.
Thank you in advance and sorry for the bad English
This doesn't directly answer you question but it does provide an alternative.
In my experience with API's you secure them with a HMAC. This is basically a hash that is generated using some data unique to the request, a timestamp and a private key. This hash along with the data used to create it will be passed to your API - NOT the private key - this data can all be sent in the headers of the request. When your API gets this data is uses the unique data, the timestamp and the private key to create another hash. The hash from the header and the newly created one are then compared. If they match you can be sure that the same private key was used to generate them. This saves sending any usernames/passwords over the internet.
I would also recommend that your server is setup to only serve HTTPS, this will help prevent man in the middle attacks.
This is a library that I have written for this very purpose.
https://packagist.org/packages/mardy-git/hmac
I hope this helps.

Twitter OAuth - Incorrect signature errors - what have I missed?

I have read the page on implementing OAuth that Twitter have written. I've registered my app, it will only access my account, so I skip all the request token stuff. I have, from the "Your apps" page:
consumer token
consumer token secret
access token
access token secret
I write some ruby code and test its output against Beginner’s Guide to OAuth (suggested reading in the Twitter docs). I get the same output, i.e. the signature, the base string and the Authorization headers are identical.
However, when I connect to the Twitter Rest API and try the verify credentials command the response is invariably "Incorrect signature".
I try using different code (very similar to mine) from a gist by erikeldridge on github but it doesn't work either. Instead of connecting via cURL (using the curb library) I use Net/Http - same error response is returned.
I change over to using the OAuth gem. It uses Net/Http to connect. Same error response comes back.
Verify credentials isn't the only command I've tried to use in the API, but they all give the same error, whether it's GET or POST, requires extra params or not. I've been using the Search API successfully using the curb library without problems so I don't think it's the connection method.
What might I do to fix this?
Ruby 1.9.2; cURL 7.21.2; oauth 0.4.4; curb 0.7.8; json 1.4.6; OSX 10.6.5;
Even though your application is only accessing your data, you can't simply 'skip the request token stuff'. The request token is integral to the OAuthentication process.
Summarised, the 3 main parts of the OAuth process are as follows:
Get Request Token Key and Request Token Secret
Use Request Token to authorise application to access your data. This will provided the user(you) with a PIN
Use the PIN to exchange the Request Token and Secret for an Access Token and Secret.
A more detailed OAuthentication flow can be found here.
It's fixed - I regenerated the Consumer key and secret on the Twitter site and it started working. I've no idea why the previous set didn't work - the code was solid (works all the time now) and the details were correct. Perhaps they (Twitter) could provide more detailed error messages? But I'm happy :)

Twitter OAuth Request Token Using Grackle

I am currently trying to use the Grackle Ruby GEM to integrate with the Twitter API, but I have encountered a little snag.
I am attempting to perform a GET to twitter.com/oauth/request_token, but according to the OAuth spec I need to provide the following values:
oauth_consumer_key
oauth_signature_method
oauth_signature
oauth_timestamp
oauth_nonce
I am a little stumped, as at this point Twitter has only given me a Consumer Key and a Consumer Secret. Am I just going about this the hard way? Because I cannot figure out how to correctly populate those values. No matter what I supply Twitter keeps returning:
Failed to validate oauth signature and
token
It sounds like my problem is just a general misunderstanding on how to properly integrate with Twitter and OAuth in general, and not so much the specifics of Grackle... but perhaps too much information is best in this case :-)
First of all, you should probably be reading the latest OAuth rev, which is 1.0a. There are no differences when obtaining the request token though so you should be fine in that regard.
Apart from that, it looks like a combination of general misunderstanding of the OAuth process and the scope of Grackle:
The process of acquiring the access
token and token secret are outside the
scope of Grackle and will need to be
coded on a per-application # basis.
Grackle comes into play once you've
acquired all of the above pieces of
information (source).
So, I would first look towards a library that can get you an access token before continuing with Grackle. Moomerman's twitter_oauth looks like a good choice: http://github.com/moomerman/twitter_oauth
Hope that helps!
I encountered this same issue, and all the examples for the oauth gem online I could find were out of date. I wrote an explanation with sample code here, but the basic flow is:
Get a Request Token from Twitter and save the details
Send the user to Twitter with that token
Get the user back, use details and response from Twitter to generate an Access Token
Use the Access Token's token and secret with your Consumer token and secret to make API calls.

Resources