Mediafire api call Signature(session token 2) - api

i don't see any post related to generating a call signature(session token 2) using mediafire api.So , here is my question.
I am trying to use the get_info api to get the user information but i am having a problem generating a call signature(Session token 2).
I am reading the documentation given here where it says to generate the call signature we need the formula
The signature = the Message-Digest (MD5) of the 'secret_key' modulo 256 + 'time' + the URI of the API call.
I have the secret_key and time which i got from calling get_session_token api.The problem lies (i guess) in the URI of the API call.
In my case , i wanted to call the get_info api , so i replace the URI with "/api/user/get_info.php" .But i got error saying i have invalid signature.What am i doing wrong here?

signature = sha1(email + password + application_id + API_Key)
i see that in here: https://github.com/MediaFire/mediafire-php-open-sdk/blob/master/mflib.php

Related

How to use the AddAuthparameter procedure?

I have to add an authorization to a REST request in Delphi.
Can someone give me an example how should it call the AddAuthParameter procedure?
I am doing this code in an onclick event of a button :
authjo, auth1, auth2, auth3, auth4, auth5, auth6, auth7, auth8, auth9, auth10 : string;
authjo := auth1 + auth2 + auth3 + auth4 + auth5 + auth6 + auth7 + auth8 + auth9 + auth10 ;
Restrequest4.AddAuthParameter('Authorization',authjo,TRESTRequestParameterKind.pkHTTPHEADER);
Restrequest4.Execute;
But this does not use thes the Authorization token 'authjo' and i don't know why.
I must have Authorization like this "Authorization Bearer :token" am i not constructing well in the code ?
If the authentication expects a Bearer token, you must add that to your call:
Restrequest4.AddAuthParameter('Authorization','Bearer ' + authjo,TRESTRequestParameterKind.pkHTTPHEADER);
Having messed around with Delphi to access an API (In my case Trakt), I managed to authenticate with OAuth2. But I ran into the very same problem as you did.
I have just asked my question here:
Accessing TRAKT API from Delphi - issues with Bearer authentication [SOLVED]
As I understand it, the root cause it that adding headers like we do, will create a parameter entry that is "Authorize=Bearer [token]" whereas it should be "Authorize:Bearer [token]".
See here:
How to add a "Authorization=Bearer" header with Indy in Delphi?
I have managed to mitigate the issue and would like to reference to that thread.
Also, the tool Fiddler was most helpful to see what my app actually sent and what it got back.

Problems Connecting to MtGox API 2 with Python

I am writing a trading program that I need to connect to MtGox (a bitcoin exchange) through the API v2. But I keep getting the following error:
URL: 1 https://data.mtgox.com/api/2/BTCUSD/money/bitcoin/address
HTTP Error 403: Forbidden.
Most of my script is a direct copy from here (that is a pastebin link). I just had to change it to work with Python 3.3.
I suspect that it has to do with the part of script where I use base64.b64encode. In my code, I have to encode my strings to utf-8 to use base64.b64encode:
url = self.__url_parts + '2/' + path
api2postdatatohash = (path + chr(0) + post_data).encode('utf-8') #new way to hash for API 2, includes path + NUL
ahmac = base64.b64encode(str(hmac.new(base64.b64decode(self.secret),api2postdatatohash,hashlib.sha512).digest()).encode('utf-8'))
# Create header for auth-requiring operations
header = {
"User-Agent": 'Arbitrater',
"Rest-Key": self.key,
"Rest-Sign": ahmac
}
However, with the other guy's script, he doesn't have too:
url = self.__url_parts + '2/' + path
api2postdatatohash = path + chr(0) + post_data #new way to hash for API 2, includes path + NUL
ahmac = base64.b64encode(str(hmac.new(base64.b64decode(self.secret),api2postdatatohash,hashlib.sha512).digest()))
# Create header for auth-requiring operations
header = {
"User-Agent": 'genBTC-bot',
"Rest-Key": self.key,
"Rest-Sign": ahmac
}
I'm wondering if that extra encoding is causing my header credentials to be incorrect. I think this is another Python 2 v. Python 3 problem. I don't know how the other guy got away without changing to utf-8, because the script won't run if you try to pass a string to b64encode or hmac. Do you guys see any problems with what I am doing? Is out code equivalent?
This line specifically seems to be the problem -
ahmac = base64.b64encode(str(hmac.new(base64.b64decode(self.secret),api2postdatatohash,hashlib.sha512).digest()).encode('utf-8'))
To clarify, hmac.new() creates an object to which you then call digest(). Digest returns a bytes object such as
b.digest()
b'\x92b\x129\xdf\t\xbaPPZ\x00.\x96\xf8%\xaa'
Now, when you call str on this, it turns to
b'\\x92b\\x129\\xdf\\t\\xbaPPZ\\x00.\\x96\\xf8%\\xaa'
So, see what happens there? The byte indicator is now part of the string itself, which you then call encode() on.
str(b.digest()).encode("utf-8")
b"b'\\x92b\\x129\\xdf\\t\\xbaPPZ\\x00.\\x96\\xf8%\\xaa'"
To fix this, as turning bytes into a string back into bytes was unnecessary anyhow(besides problematic), I believe this will work -
ahmac = base64.b64encode(hmac.new(base64.b64decode(self.secret),api2postdatatohash,hashlib.sha512).digest())
I believe you are likely to find help in a related question of mine although it deals with the WebSocket API:
Authenticated call to MtGox WebSocket API in Python 3
Also, the HTTP 403 error seems to indicate that there is something fundamentally wrong with the request. Even if you threw the wrong authentication info at the API you should have gotten an error message as a response and not a 403. My best guess is that you are using the wrong HTTP method so check if you are using the appropriate one (GET/POST).

Security for a REST based API

I have been looking at techniques to secure an API for use in an android/iphone app or website application.
I have found one technique which I like but am unsure about if it is a good or what is wrong with it (aside from being a pritty long process).
Processing (users side initially):
First a salt is created by hashing the users password.
Then a signature is created by hashing the requested url (with username appended on the end via a query string) and the salt.
Lastly a token is created by hashing the username and the signature.
The token is passed inside a header to the server (everytime).
First Request:
The first request must be for the validate endpoint and include the device_id as a query string.
The same processing (as above) is done on the server and if the token matches that sent from the user than the device_id is stored in the database and is assigned to that username for future reference (the device id is found in the requested url) and is used to verify the username/device thereafter.
All subsequent requests:
The processing must take place on the users end and servers end for every request now with the token being different everytime (as the requested url changes).
No code is included as it is not written yet.
Your authentication model is a shared secret authentication. In your case your user's password serves as the shared secret. You need to ensure you have a secure way for getting the password to the user and server ahead of time. In order to sign the request you create a message with all your request headers and data. Then hash that request. Then that hash (token) will be passed with the request. The server will perform the same signing and hashing process on the server and ensure the tokens match.
In your example your sound like you want to create the token with this pseudo code:
Token = hmac-sha1( Hash(Pasword + Salt) + RequestUrl + UserName )
Your way is not bad but I would compare your method to Amazon's REST Auth model and implement a closer version of what they have detailed. http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
Their implementation:
"Authorization: AWS " + AWSAccessKeyId + ":" + base64(hmac-sha1(VERB + "\n"
+ CONTENT-MD5 + "\n"
+ CONTENT-TYPE + "\n"
+ DATE + "\n"
+ CanonicalizedAmzHeaders + "\n"
+ CanonicalizedResource))
They have good reasons for including some fields that you have left out, including but not limited to:
The timestamp is to prevent replay attacks.
The content-MD5 is to prevent prevents people tampering with the request data (relevant to
POST and PUTS)

FB error:Expected 1 '.' in the input between the postcard and the payload

I have finished my app and then tried it on 3 FB accounts and it was ok,
but the 4th have a permanent error (it cannot get an access token):
com.restfb.exception.FacebookOAuthException: Received Facebook error response of type OAuthException: Expected 1 '.' In the input between the postcard and the payload.
I tried to remove the app and install it again on this account a few times and nothing changed.
I use Java and restFB client.
This is the code where i get the access token:
if (request.getParameter("code") != null) {
String code = request.getParameter("code");
String url = "https://graph.facebook.com/oauth/access_token?"
+ "client_id=" + clientId + "&" + "client_secret="
+ clientSecret + "&" + "code=" + code + "&" + "redirect_uri="
+ redirectURL +"&type=web_server";
String accessToken=readUrl(url).split("&")[0].replaceFirst("access_token=", "");
//....
}
I saw here someone with the same error, he said that the solution was:
replacing "|" with "%257C" which made my access token invalid"
I couldn't really understand what he means.
Embarrassing as it is -- I'll be honest in case it helps someone else:
When I got this error message, I had accidentally copy/pasted a Google access_token (e.g. ya29.A0A...) into a Facebook graph API route. :)
It's probably worth logging the response to the /oauth/access_token request and the value you extract for use as the access token.
For the account that doesn't work, check whether the /oauth/access_token response includes other parameters before access_token. IIRC I've seen responses like
expiry=86400&access_token=AAAxxxx
Check to ensure you are verifying the "code" parameter returned by Facebook before signing the request, not the "access token". That was the mistake I made.
I experience the same issue, and after debugging my only conclusion was that when this message is thrown it might just be the token is expired or invalid. Checking with a freshly generated token should not throw this error.

Android HttpGet Url causes "Illegal Character at Index 110" error

I'm trying to instantiate an HttpGet Object so that I can send a get request to the foursquare api. However, every time I attempt this, (and I've tried it with several different tokens) I get the following error:
java.lang.IllegalArgumentException: Illegal character in query at index 110: https://api.foursquare.com/v2/users/self/checkins?oauth_token=VIHXZZH1ZEXTXOYDFRHHWF42YREWKMNTABDTTVMMF3CSYTKW
It's in the format https://api.foursquare.com/v2/users/self/checkins?oauth_token=OAUTH_TOKEN. You can see my code below. Thanks in advance.
String checkinsUrl = "https://api.foursquare.com/v2/users/self/checkins";
String authUrl = checkinsUrl + "?oauth_token=" + this.token;
HttpGet getMethod = new HttpGet(authUrl);
This was actually just me being stupid. Foursquare sends back a code with is not the access token. You must then make an httpget with that code in order to get the access token.