Fitbit OAuth的API请求，无效的签名 [英] Fitbit OAuth API request, invalid signature

问题描述

我试图做一个API请求fitbit，利用fitbit的OAuth的调试器（ https：//开头dev.fitbit.com/apps/oauthtutorialpage ）我试图找出什么我做错了。我已经添加评论我下面code，以帮助您了解我想要的目的。我敢肯定的是，我不是签了我的请求错误，或使用了错误的数据上签字。这是由API响应回荡。

我知道有更多的fitbit API的问题在​​这里计算器，但没有发现我的答案在那里。

是否有任何人在知道我可能是做错了的Oauth签名更多的经验？或者，能不能帮我找到不同的方法来此？

  VAR请求=要求（请求）;
VAR密码=要求（'密码'）;VAR PARAMS = {
    oauth_consumer_key'：'key12345'，
    oauth_nonce：的Math.random（）的toString（36）.substring（3），//随机字符串。
    oauth_signature_method：HMAC-SHA1，
    oauth_timestamp'：Date.now（）的toString（）子（0,10），//时间戳与相同长度的教程。
    oauth_version'：'1.0'
}
VAR oauth_consumer_secret ='secret123';
VAR post_string ='POST和放大器; HTTPS：//api.fitbit.com/oauth/request_token';对于（params中VAR键）{
    post_string + ='和;' +键+=+参数[关键]
}/ *在这一点上，我们发了一个帖子字符串，我们有HMAC-SHA1散列
后弦看起来是这样的：
POST&https://api.fitbit.com/oauth/request_token&oauth_consumer_key=key12345&oauth_nonce=az6r8cqlzyqfr&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1439147378&oauth_version=1.0从教程的post_string如下：
POST&%2Foauth%2Frequest_token&oauth_consumer_key%3D%26oauth_nonce%3D%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1439145944%26oauth_version%3D1.0* /变种HMAC = crypto.createHmac（'SHA1'，oauth_consumer_secret +与＆amp;）;
//本教程页面显示我是'用秘密＆安培签署;签名。我曾尝试使用和不使用＆放大器;在最后，但没有运气。
hmac.setEncoding（'的base64'）; //我不知道这是否是正确的
hmac.write（post_string）;
hmac.end（）;
变种散列= hmac.read（）;//最后加入散列到的参数。
params.oauth_signature =散列;//现在，使得与授权头的请求。
VAR标题='';
对于（params中VAR键）{
    如果（header.length === 0）{
        标题='的OAuth'+键+=+参数[键] +'';
    }
    其他{
        头+ =''+键+=+参数[键] +'';
    }
}/ *
在这一点上的报头参数看起来像这样的OAuth oauth_consumer_key =key12345，oauth_nonce =jnr97ppvjs2lnmi，oauth_signature_method =HMAC-SHA1，oauth_timestamp =1439148049，oauth_version =1.0，oauth_signature =random_signature本教程告诉我用头：
的OAuth oauth_consumer_key =key12345，oauth_nonce =jnr97ppvjs2lnmi，oauth_signature =different_signature，oauth_signature_method =HMAC-SHA1，oauth_timestamp =1439145944，oauth_version =1.0
* /VAR标题= {
    '授权'：头
}VAR URL =htt​​ps://api.fitbit.com/oauth/request_token;
VAR将requestTimeout = 5000;
VAR选择采用= {
    网址：网址，
    超时：将requestTimeout，
    标题：标题
}要求（选，功能（呃，RES体）{
    如果（ERR）{
        console.dir（ERR）;
        返回;
    }
    VAR状态code = res.status code;
    如果（res.status code === 200）{
         的console.log（体）;
    }
    其他{
        的console.log（HTTP-无错误code：+ res.status code）;
        的console.log（体）;
    }
}）
/ *
响应：
HTTP的错误 -  code：401
{错误：[{ERRORTYPE：OAuth的，字段名：oauth_signature，消息：无效的签名：9fXI85C7GvZqMyW1AK1EkOSWZCY =}]，成功：虚假}
* /
 

解决方案

要获得访问令牌和秘密使用格兰特（你可以在操场测试FitBit）。

一旦你的访问令牌和秘密使用最纯净来进行后续请求FitBit API。

下面是关于如何获取用户的配置文件的例子：

  VAR最纯净=要求（最纯净）
VAR fitbit =新的最纯净（{提供商：'fitbit'，
  键：[CONSUMER_KEY]'，秘诀是：[CONSUMER_SECRET]'}）fitbit.get（'用户名/  -  / profile文件'，{
  的OAuth：{令牌：'[ACCESS_TOKEN]'，秘诀是：[ACCESS_SECRET]'}
}，功能（呃，资源，机构）{}）
 

另外，您可以使用要求为：

  VAR请求=要求（请求）request.GET中（'https://api.fitbit.com/1/user/-/p​​rofile.json'，{
  OAuth的：{
    CONSUMER_KEY：'..'，
    CONSUMER_SECRET：'..'，
    令牌：'..'，
    token_secret：..
  }
}，功能（呃，资源，机构）{}）
 

在短期 - 不要试图自行实现Web服务器的OAuth流 - 使用格兰特，然后使用最纯净或要求，只要记住，你不必通过所有的OAuth自己的参数，只传递凭据。

I am trying to make an API request to fitbit, using the oauth debugger from fitbit (https://dev.fitbit.com/apps/oauthtutorialpage) i am trying to figure out what i am doing wrong. I have added comments to my code below to help you understand what i am trying to achieve. What i am quite sure of is that i am either signing my request wrong, or using the wrong data to sign it. This is echoed by the API response.

I know there are more fitbit api questions here on stackoverflow, however did not find my answer there.

Is there anyone with more experience in Oauth signatures that knows what i could be doing wrong? Or could help me find a different approach to this?

var request = require('request');
var crypto = require('crypto');

var params = {
    'oauth_consumer_key' : 'key12345',
    'oauth_nonce' : Math.random().toString(36).substring(3), //random string
    'oauth_signature_method' : 'HMAC-SHA1',
    'oauth_timestamp' : Date.now().toString().substring(0,10), //timestamp with the same length as in the tutorial
    'oauth_version' : '1.0'
}
var oauth_consumer_secret = 'secret123';
var post_string = 'POST&https://api.fitbit.com/oauth/request_token';

for(var key in params){
    post_string += '&' + key + '=' + params[key];
}

/*At this point we have made a post string that we have to hash with hmac-sha1
the post string looks like this:
POST&https://api.fitbit.com/oauth/request_token&oauth_consumer_key=key12345&oauth_nonce=az6r8cqlzyqfr&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1439147378&oauth_version=1.0

The post_string from the tutorial looks like this:
POST&%2Foauth%2Frequest_token&oauth_consumer_key%3D%26oauth_nonce%3D%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1439145944%26oauth_version%3D1.0

*/

var hmac = crypto.createHmac('sha1', oauth_consumer_secret + "&");
// The tutorial page shows me the signature was 'signed with secret&'. I have tried with and without the & at the end, but without luck.
hmac.setEncoding('base64'); //i'm not sure if this is correct
hmac.write(post_string);
hmac.end();
var hash = hmac.read();

//and finally adding the hash to the parameters.
params.oauth_signature = hash; 

//now, making the request with an authorization header.
var header='';
for (var key in params){
    if(header.length === 0){
        header = ' OAuth ' + key + '="' + params[key] + '"';
    }
    else{
        header += ', ' + key + '="' + params[key] + '"';
    }
}

/*
At this point the header parameter looks like this

OAuth oauth_consumer_key="key12345", oauth_nonce="jnr97ppvjs2lnmi", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1439148049", oauth_version="1.0", oauth_signature="random_signature"   

The tutorial tells me to use the headers:
OAuth oauth_consumer_key="key12345", oauth_nonce="jnr97ppvjs2lnmi", oauth_signature="different_signature", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1439145944", oauth_version="1.0"
*/

var headers ={
    'Authorization' : header
}

var url="https://api.fitbit.com/oauth/request_token";
var requestTimeout = 5000;
var opts = {
    url: url,
    timeout: requestTimeout,
    headers : headers
}

request(opts, function (err, res, body) {
    if (err) {
        console.dir(err);
        return;
    }
    var statusCode = res.statusCode;
    if(res.statusCode === 200){
         console.log(body);
    }
    else{
        console.log("http-error-code: " + res.statusCode);
        console.log(body);
    }
})
/*
The response: 
http-error-code: 401
{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: 9fXI85C7GvZqMyW1AK1EkOSWZCY="}],"success":false}
*/

解决方案

To get access token and secret use Grant (you can test FitBit in the playground).

Once you have access token and secret use Purest to make subsequent request to the FitBit API.

Here is an example on how to get the user's profile:

var Purest = require('purest')
var fitbit = new Purest({provider:'fitbit',
  key:'[CONSUMER_KEY]', secret:'[CONSUMER_SECRET]'})

fitbit.get('user/-/profile', {
  oauth:{token:'[ACCESS_TOKEN]', secret:'[ACCESS_SECRET]'}
}, function (err, res, body) {})

Alternatively you can use request for that:

var request = require('request')

request.get('https://api.fitbit.com/1/user/-/profile.json', {
  oauth:{
    consumer_key:'..',
    consumer_secret:'..',
    token:'..',
    token_secret:'..'
  }
}, function (err, res, body) {})

In short - don't try to implement the web server OAuth flow by yourself - use Grant, then use either Purest or request, just keep in mind that you don't have to pass all of the OAuth parameters by yourself, just pass the credentials.

这篇关于Fitbit OAuth的API请求，无效的签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！