Missing API Signature

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • PakPassion
    New Member
    • Jun 2005
    • 26
    • 3.0.7
    #1

    Missing API Signature

    Hello All,

    The first call api.php?api_m=api_init&clientname=vBMobile&clientversion=1.0&platformname=Android&platform version=4.0&uniqueid=abcdef12345
    works fine and I get a proper response.

    However, I am getting {"response":{"errormessage":["invalid_api_signature","Invalid API Signature"]}} when calling login_login.

    This is the part of the URL I am using: /api.php?api_m=login_login&vb_login_username=[USERNAME]&vb_login_password=[PASSWORD]&api_sig=[apisignature]&api_s=[apiaccesstoken]&api_c=[apiclientid]&api_v=[apiversion]

    and this is the logic for apisignature: md5( "api_m=login_login&vb_login_username=[USERNAME]&vb_login_password=[PASSWORD]" + [apiaccesstoken] + [apiclientid] + [secret] + [apikey] )


    Any help/pointers will be greatly appreciated!

    Been stuck at this error since a few days.

    Thanks.

    Tags: None
    • Wayne Luke
      vBulletin Technical Support Lead
      • Aug 2000
      • 74132
      #2
      Each API request (except api.init) should be signed to make sure that the requests to different API methods in a session are made by and come from one same client. Also, the results returned by different API methods are signed to make sure that they were returned from the same vBulletin site.

      How to sign a request (in PHP):

      // The HTTP GET params for an API method
      // (without api related params except api_m. see below)
      $requestparams = array('api_m' => 'node.getNode', 'b' => 'value1', 'a' => 'value2');

      // Sort GET params by key
      ksort($requestparams);

      // $signstr = 'a=value2&api_m=forumdisplay&b=value1';
      $signstr = http_build_query($requestparams);

      // The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
      // (all can be fetched from api_init except apikey
      // -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
      $sign = md5($signstr.$apiaccesstoken.$apiclientid.$secret);

      Note: Signature is the md5 hash of a string which is made up with HTTP GET parameter string, Access Token, ClientID and Secret. HTTP GET parameter string contains HTTP GET parameters only in Query String format and the parameters names are in alphabet order.

      How to verify a result (in PHP):

      // The sign value returned by the server (Authorization header);
      $sign = $_SERVER['HTTP_AUTHORIZATION'];

      $data = 'the raw JSON data returned by the server';

      // The correct signature is the md5 value of $data + accesstoken + clientid + secret (all can be fetched from api_init)
      $signtoverify = md5($data.$apiaccesstoken.$apiclientid.$secret);

      if ($sign != $signtoverify) {
      // Throw error msg here
      }
      Note: Every response returned by API method contains a HTTP Header named HTTP_AUTHORIZATION. The client should calculate a verification string to be compared with the value of HTTP_AUTHORIZATION header. The verification string is a md5 value of a string which is made up with RAW JSON data returned by the server, Access Token, ClientID and Secret. The client should verify each response returned by the server.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

        Comment

        • PakPassion
          New Member
          • Jun 2005
          • 26
          • 3.0.7
          #3
          Originally posted by Wayne Luke
          Each API request (except api.init) should be signed to make sure that the requests to different API methods in a session are made by and come from one same client. Also, the results returned by different API methods are signed to make sure that they were returned from the same vBulletin site.

          How to sign a request (in PHP):

          // The HTTP GET params for an API method
          // (without api related params except api_m. see below)
          $requestparams = array('api_m' => 'node.getNode', 'b' => 'value1', 'a' => 'value2');

          // Sort GET params by key
          ksort($requestparams);

          // $signstr = 'a=value2&api_m=forumdisplay&b=value1';
          $signstr = http_build_query($requestparams);

          // The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
          // (all can be fetched from api_init except apikey
          // -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
          $sign = md5($signstr.$apiaccesstoken.$apiclientid.$secret);

          Note: Signature is the md5 hash of a string which is made up with HTTP GET parameter string, Access Token, ClientID and Secret. HTTP GET parameter string contains HTTP GET parameters only in Query String format and the parameters names are in alphabet order.

          How to verify a result (in PHP):

          // The sign value returned by the server (Authorization header);
          $sign = $_SERVER['HTTP_AUTHORIZATION'];

          $data = 'the raw JSON data returned by the server';

          // The correct signature is the md5 value of $data + accesstoken + clientid + secret (all can be fetched from api_init)
          $signtoverify = md5($data.$apiaccesstoken.$apiclientid.$secret);

          if ($sign != $signtoverify) {
          // Throw error msg here
          }
          Note: Every response returned by API method contains a HTTP Header named HTTP_AUTHORIZATION. The client should calculate a verification string to be compared with the value of HTTP_AUTHORIZATION header. The verification string is a md5 value of a string which is made up with RAW JSON data returned by the server, Access Token, ClientID and Secret. The client should verify each response returned by the server.
          Thanks!

          I was missing this step:

          // Sort GET params by key
          ksort($requestparams);

          However, after trying to call login_login forum/api.php?api_m=login_login&vb_login_username=myusername&vb_login_password=mypassword&api_si g=f443fd33bfd1af5fd24f0d946dc517fe&api_s=b0c55c8e6b8c0f7df0a21a55d61d869a&api_c=1&api_v=8

          I got badlogin error.

          {"session":{"dbsessionhash":"26fc2c710eb1ef654001072137ca7035","userid":"0"},"response" :{" errormessage":["badlogin","s=26fc2c710eb1ef654001072137ca7035&api=1&","0"]}}

          Other APIs with don't need a user to be logged in worked fine! Is there anything I am missing with the login_login call? Thanks a lot!

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 74132
              #4
              Lost? Don't worry
              http://vb5support.com/resources/mapi/vB_Api_Vb4_login.html
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

                Comment

                • devoidfeast
                  New Member
                  • Jun 2014
                  • 7
                  • 5.0.X
                  #5
                  How can i sign a request in nodejs?
                  Code:
                      axios.get('http://10.0.2.2/api.php?api_m=api_init&clientname=vBMobile&clientversion=1.0&platformname=Android&platformversion=4.0&uniqueid=eeerrree3434')
    .then(
      res => 
      {
        let apisignature = md5(res["data"]["apiaccesstoken"]+res["data"]["apiclientid"]+res["data"]["secret"]+"apikey")
        let url = 'http://10.0.2.2/api.php?api_m=login_login&vb_login_username=xyz&vb_login_password=abc&api_sig=' + apisignature + '&api_s=' + res["data"]["apiaccesstoken"] + '&api_c=' + res["data"]["apiclientid"] + '&api_v=' + res["data"]["apiversion"]
        axios.get(url).then( result => {
          console.log(result)
        }).catch(e => console.warn(e))
      })

                  the first request succeeds but the later return http 400.

                    Comment

                    • Wayne Luke
                      vBulletin Technical Support Lead
                      • Aug 2000
                      • 74132
                      #6
                      I have no idea how you would sign it in node.js. What is return you're getting with the 400 error? What is logged in the API Debug log?
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                        Comment

                        • caliburnusltd
                          New Member
                          • Dec 2019
                          • 2
                          #7
                          update: delete pls
                          Last edited by caliburnusltd; Thu 16 Jul '20, 1:17am.

                            Comment

                            Previous template Next

                            Related Topics

                            Collapse
                            Working...