I'm having some trouble authenticating to a payment system API while using your component to generate a base64 encoded HMAC SHA256 signature. I am currently Consuming a Rest API using POST with the required headers
The Authorization has some requirements
I have created a Java Script to generate the Authorization code and Time Stamp:
But I am encountering a 403 error (Invalid authorization data) when running the application.
Need some assistance on how to handle HMACSHA256, or is my logic in the Java script incorrect. Any advise would be greatly appreciated.
Thank you
Jayson
Hello Jayson,
I downloaded your oml and tested your API in Postman and I'm getting this error:
The value of the Authorisation header should not just be true.
You should generate a valid signature according to the info you posted and add it to the Authorisation field of the call to be able to test it correctly.
You can use a tool like Postman to test your APIs before adding them to OS.
Hope it helps!
Paulo Rosário
Hi Paulo,
Thank you very much for your response. I did what you just recommended, generated the authorization code and timestamp and I was able to receive the desiredresponse in postman.
However, when I incorporated it in OS using Consume API
I get the following response error:
Any idea on how to why it is sending this this "Forbidden" response?
Just to make sure. In the above screenshot there is a - missing between Request and Timestamp (X-Request-Timestamp).
Hi Stefan,
Thank you for noticing that, I did the changes necessary by replacing X-Timestamp to X-Request-Timestamp. Generated a new Authorization and Timestamp which works in Postman. But now I am experiencing an "Invalid Authorization Data" Response.
You are now getting an "Invalid authorization data" that tells us something is wrong with the auth key.
Is the key single use? meaning that you can only use it once? and after using it in Postman you cant use it in OS?
The key expires every minute so I need to check the key in postman, then check it gain in OS in just under a minute.
Thanks,
btw: you may rethink using a javascript for creating the signature. You are exposing your secret key to the frontend. The CryptoAPI Forge component should give you all the possibilities to sign at backend.
Hi Paulo, Stefan,
Thank you for your response. The key expires every minute, and is built on different encrypted live data values, the data values I used now in creating the key are just dummy data to test the algorithm I created using JavaScript.
Now that's what i call a short-lived token ;-)
After going through your oml I found some hard-coded values here on the CreatePaymentRequest action :
I changed it to the variable and was able to get a 200 response from the API
HTTP/1.1 200vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headersx-content-type-options: nosniffx-xss-protection: 1; mode=blockpragma: no-cachex-frame-options: SAMEORIGINcontent-security-policy: script-src 'self' 'unsafe-inline'strict-transport-security: max-age=31536000Content-Length: 271Cache-Control: no-cache, no-store, max-age=0, must-revalidateContent-Type: application/jsonDate: Mon, 12 Dec 2022 15:34:15 GMTExpires: 0Set-Cookie: cookiesession1=678B2874F3D9EE7FD8871DB5335C9137;Expires=Tue, 12 Dec 2023 15:34:15 GMT;Path=/;HttpOnly
Check that out and see if it works for you to :)