Announcement

Collapse
No announcement yet.

Missing API Signature

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Missing API Signature

    Hello All,

    The first call api.php?api_m=api_init&clientname=vBMobile&clientversion=1.0&platformname=Android&platform version=4.0&uniqueid=abcdef12345
    works fine and I get a proper response.

    However, I am getting {"response":{"errormessage":["invalid_api_signature","Invalid API Signature"]}} when calling login_login.

    This is the part of the URL I am using: /api.php?api_m=login_login&vb_login_username=[USERNAME]&vb_login_password=[PASSWORD]&api_sig=[apisignature]&api_s=[apiaccesstoken]&api_c=[apiclientid]&api_v=[apiversion]

    and this is the logic for apisignature: md5( "api_m=login_login&vb_login_username=[USERNAME]&vb_login_password=[PASSWORD]" + [apiaccesstoken] + [apiclientid] + [secret] + [apikey] )


    Any help/pointers will be greatly appreciated!

    Been stuck at this error since a few days.

    Thanks.


  • #2
    Each API request (except api.init) should be signed to make sure that the requests to different API methods in a session are made by and come from one same client. Also, the results returned by different API methods are signed to make sure that they were returned from the same vBulletin site.

    How to sign a request (in PHP):

    // The HTTP GET params for an API method
    // (without api related params except api_m. see below)
    $requestparams = array('api_m' => 'node.getNode', 'b' => 'value1', 'a' => 'value2');

    // Sort GET params by key
    ksort($requestparams);

    // $signstr = 'a=value2&api_m=forumdisplay&b=value1';
    $signstr = http_build_query($requestparams);

    // The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
    // (all can be fetched from api_init except apikey
    // -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
    $sign = md5($signstr.$apiaccesstoken.$apiclientid.$secret);

    Note: Signature is the md5 hash of a string which is made up with HTTP GET parameter string, Access Token, ClientID and Secret. HTTP GET parameter string contains HTTP GET parameters only in Query String format and the parameters names are in alphabet order.

    How to verify a result (in PHP):

    // The sign value returned by the server (Authorization header);
    $sign = $_SERVER['HTTP_AUTHORIZATION'];

    $data = 'the raw JSON data returned by the server';

    // The correct signature is the md5 value of $data + accesstoken + clientid + secret (all can be fetched from api_init)
    $signtoverify = md5($data.$apiaccesstoken.$apiclientid.$secret);

    if ($sign != $signtoverify) {
    // Throw error msg here
    }
    Note: Every response returned by API method contains a HTTP Header named HTTP_AUTHORIZATION. The client should calculate a verification string to be compared with the value of HTTP_AUTHORIZATION header. The verification string is a md5 value of a string which is made up with RAW JSON data returned by the server, Access Token, ClientID and Secret. The client should verify each response returned by the server.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      Originally posted by Wayne Luke View Post
      Each API request (except api.init) should be signed to make sure that the requests to different API methods in a session are made by and come from one same client. Also, the results returned by different API methods are signed to make sure that they were returned from the same vBulletin site.

      How to sign a request (in PHP):

      // The HTTP GET params for an API method
      // (without api related params except api_m. see below)
      $requestparams = array('api_m' => 'node.getNode', 'b' => 'value1', 'a' => 'value2');

      // Sort GET params by key
      ksort($requestparams);

      // $signstr = 'a=value2&api_m=forumdisplay&b=value1';
      $signstr = http_build_query($requestparams);

      // The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
      // (all can be fetched from api_init except apikey
      // -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
      $sign = md5($signstr.$apiaccesstoken.$apiclientid.$secret);

      Note: Signature is the md5 hash of a string which is made up with HTTP GET parameter string, Access Token, ClientID and Secret. HTTP GET parameter string contains HTTP GET parameters only in Query String format and the parameters names are in alphabet order.

      How to verify a result (in PHP):

      // The sign value returned by the server (Authorization header);
      $sign = $_SERVER['HTTP_AUTHORIZATION'];

      $data = 'the raw JSON data returned by the server';

      // The correct signature is the md5 value of $data + accesstoken + clientid + secret (all can be fetched from api_init)
      $signtoverify = md5($data.$apiaccesstoken.$apiclientid.$secret);

      if ($sign != $signtoverify) {
      // Throw error msg here
      }
      Note: Every response returned by API method contains a HTTP Header named HTTP_AUTHORIZATION. The client should calculate a verification string to be compared with the value of HTTP_AUTHORIZATION header. The verification string is a md5 value of a string which is made up with RAW JSON data returned by the server, Access Token, ClientID and Secret. The client should verify each response returned by the server.
      Thanks!

      I was missing this step:

      // Sort GET params by key
      ksort($requestparams);

      However, after trying to call login_login forum/api.php?api_m=login_login&vb_login_username=myusername&vb_login_password=mypassword&api_si g=f443fd33bfd1af5fd24f0d946dc517fe&api_s=b0c55c8e6b8c0f7df0a21a55d61d869a&api_c=1&api_v=8

      I got badlogin error.

      {"session":{"dbsessionhash":"26fc2c710eb1ef654001072137ca7035","userid":"0"},"response" :{" errormessage":["badlogin","s=26fc2c710eb1ef654001072137ca7035&api=1&","0"]}}

      Other APIs with don't need a user to be logged in worked fine! Is there anything I am missing with the login_login call? Thanks a lot!

      Comment


      • #4
        http://vb5support.com/resources/mapi...Vb4_login.html
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud customization and demonstration site.
        vBulletin 5 Documentation - Updated every Friday. Report issues here.
        vBulletin 5 API - Full / Mobile
        I am not currently available for vB Messenger Chats.

        Comment

        Working...
        X