Missing API Signature
Collapse
X
-
I have no idea how you would sign it in node.js. What is return you're getting with the 400 error? What is logged in the API Debug log?Leave a comment:
-
How can i sign a request in nodejs?
Code:axios.get('http://10.0.2.2/api.php?api_m=api_init&clientname=vBMobile&clientversion=1.0&platformname=Android&platformversion=4.0&uniqueid=eeerrree3434') .then( res => { let apisignature = md5(res["data"]["apiaccesstoken"]+res["data"]["apiclientid"]+res["data"]["secret"]+"apikey") let url = 'http://10.0.2.2/api.php?api_m=login_login&vb_login_username=xyz&vb_login_password=abc&api_sig=' + apisignature + '&api_s=' + res["data"]["apiaccesstoken"] + '&api_c=' + res["data"]["apiclientid"] + '&api_v=' + res["data"]["apiversion"] axios.get(url).then( result => { console.log(result) }).catch(e => console.warn(e)) })
the first request succeeds but the later return http 400.Leave a comment:
-
-
Each API request (except api.init) should be signed to make sure that the requests to different API methods in a session are made by and come from one same client. Also, the results returned by different API methods are signed to make sure that they were returned from the same vBulletin site.
How to sign a request (in PHP):
// The HTTP GET params for an API method
// (without api related params except api_m. see below)
$requestparams = array('api_m' => 'node.getNode', 'b' => 'value1', 'a' => 'value2');
// Sort GET params by key
ksort($requestparams);
// $signstr = 'a=value2&api_m=forumdisplay&b=value1';
$signstr = http_build_query($requestparams);
// The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
// (all can be fetched from api_init except apikey
// -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
$sign = md5($signstr.$apiaccesstoken.$apiclientid.$secret);
Note: Signature is the md5 hash of a string which is made up with HTTP GET parameter string, Access Token, ClientID and Secret. HTTP GET parameter string contains HTTP GET parameters only in Query String format and the parameters names are in alphabet order.
How to verify a result (in PHP):
// The sign value returned by the server (Authorization header);
$sign = $_SERVER['HTTP_AUTHORIZATION'];
$data = 'the raw JSON data returned by the server';
// The correct signature is the md5 value of $data + accesstoken + clientid + secret (all can be fetched from api_init)
$signtoverify = md5($data.$apiaccesstoken.$apiclientid.$secret);
if ($sign != $signtoverify) {
// Throw error msg here
}
Note: Every response returned by API method contains a HTTP Header named HTTP_AUTHORIZATION. The client should calculate a verification string to be compared with the value of HTTP_AUTHORIZATION header. The verification string is a md5 value of a string which is made up with RAW JSON data returned by the server, Access Token, ClientID and Secret. The client should verify each response returned by the server.
I was missing this step:
// Sort GET params by key
ksort($requestparams);
However, after trying to call login_login forum/api.php?api_m=login_login&vb_login_username=myusername&vb_login_password=mypassword&api_si g=f443fd33bfd1af5fd24f0d946dc517fe&api_s=b0c55c8e6b8c0f7df0a21a55d61d869a&api_c=1&api_v=8
I got badlogin error.
{"session":{"dbsessionhash":"26fc2c710eb1ef654001072137ca7035","userid":"0"},"response" :{" errormessage":["badlogin","s=26fc2c710eb1ef654001072137ca7035&api=1&","0"]}}
Other APIs with don't need a user to be logged in worked fine! Is there anything I am missing with the login_login call? Thanks a lot!Leave a comment:
-
Each API request (except api.init) should be signed to make sure that the requests to different API methods in a session are made by and come from one same client. Also, the results returned by different API methods are signed to make sure that they were returned from the same vBulletin site.
How to sign a request (in PHP):
// The HTTP GET params for an API method
// (without api related params except api_m. see below)
$requestparams = array('api_m' => 'node.getNode', 'b' => 'value1', 'a' => 'value2');
// Sort GET params by key
ksort($requestparams);
// $signstr = 'a=value2&api_m=forumdisplay&b=value1';
$signstr = http_build_query($requestparams);
// The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
// (all can be fetched from api_init except apikey
// -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
$sign = md5($signstr.$apiaccesstoken.$apiclientid.$secret);
Note: Signature is the md5 hash of a string which is made up with HTTP GET parameter string, Access Token, ClientID and Secret. HTTP GET parameter string contains HTTP GET parameters only in Query String format and the parameters names are in alphabet order.
How to verify a result (in PHP):
// The sign value returned by the server (Authorization header);
$sign = $_SERVER['HTTP_AUTHORIZATION'];
$data = 'the raw JSON data returned by the server';
// The correct signature is the md5 value of $data + accesstoken + clientid + secret (all can be fetched from api_init)
$signtoverify = md5($data.$apiaccesstoken.$apiclientid.$secret);
if ($sign != $signtoverify) {
// Throw error msg here
}
Note: Every response returned by API method contains a HTTP Header named HTTP_AUTHORIZATION. The client should calculate a verification string to be compared with the value of HTTP_AUTHORIZATION header. The verification string is a md5 value of a string which is made up with RAW JSON data returned by the server, Access Token, ClientID and Secret. The client should verify each response returned by the server.Leave a comment:
-
Missing API Signature
Hello All,
The first call api.php?api_m=api_init&clientname=vBMobile&clientversion=1.0&platformname=Android&platform version=4.0&uniqueid=abcdef12345
works fine and I get a proper response.
However, I am getting {"response":{"errormessage":["invalid_api_signature","Invalid API Signature"]}} when calling login_login.
This is the part of the URL I am using: /api.php?api_m=login_login&vb_login_username=[USERNAME]&vb_login_password=[PASSWORD]&api_sig=[apisignature]&api_s=[apiaccesstoken]&api_c=[apiclientid]&api_v=[apiversion]
and this is the logic for apisignature: md5( "api_m=login_login&vb_login_username=[USERNAME]&vb_login_password=[PASSWORD]" + [apiaccesstoken] + [apiclientid] + [secret] + [apikey] )
Any help/pointers will be greatly appreciated!
Been stuck at this error since a few days.
Thanks.
Tags: None
Related Topics
Collapse
-
Hello,
While in the vBulletin Control Panel, I see a section names "vBulletin API" and it has what appears to be options to configure access to an API. However, the only documentation...-
Channel: Support Issues & Questions
-
-
by elieseifThe call to api.init generates the required access token, client id, secret, and api version, but the call to user.save is returning an invalid_api_signature error.
Using vBCloud 5.6.0
...-
Channel: vB Cloud Support & Troubleshooting.
-
-
by WhiskeyOSSI noticed there was not a place for users to add a signature to their names I also noticed that if I go into the admin panel and try to upload a signature in this case it was a gif exactly like the one...
-
Channel: Support Issues & Questions
Fri 14 Dec '12, 6:02pm -
-
by UKCobraFor a short while they were there, and now they have gone. I have checked the User Group permissions and they should be able to show a signature text and image.
Ran the Empty Signature Cache, it...-
Channel: vBulletin 5 Installs & Upgrades
Sat 28 Apr '18, 7:35am -
Leave a comment: