arkerone/api-key-auth

BadSignatureError: Bad signature.

Closed this issue · 1 comments

weihsth commented

Hi,

I nearly tried 1000 different ways of generating the signature. Search nearly half a day to figure out, what the heck is going on. I used the Host URL as host, the receiver URL as host. Without host, with and without "(request-target)". Tried date header only. without any headers. Always the same result: BadSignatureError: Bad signature.

Can u please help out? What am I doing wrong?

await axios
                .post(`http://localhost:xxxx/what/is/going/on`, postData, {
                    headers: {
                        'Date': signingDate,
                        'Authorization': getApiKeyAuthHeader(
                            {
                                url: '/what/is/going/on',
                                method: 'post',
                            },
                            'XXX',
                            'XXX-secret'
                        )
                    }
                })

// [...]

import CryptoJS = require('crypto-js');

export function getApiKeyAuthHeader(data: {
                                        method: 'post' | 'get' | 'put' | 'patch' | 'delete',
                                        url: string
                                    },
                                    apiKey,
                                    apiSecretKey) {

    const signatureRawData = `(request-target): ${data.method} ${data.url}`
    const signature = CryptoJS.enc.Utf8.parse(signatureRawData);

    const signatureBytes = CryptoJS.HmacSHA256(signature, apiSecretKey);
    const requestSignatureBase64String = CryptoJS.enc.Base64.stringify(signatureBytes);

    return `Signature keyId="${apiKey}",algorithm="hmac-sha256",headers="(request-target)",signature="${requestSignatureBase64String}"`;
}

Console output on receiver side:

::ffff:127.0.0.1 - - [09/Sep/2021:20:48:02 +0000] "POST /what/is/going/on HTTP/1.1" 500 60 "-" "axios/0.21.4"
{
  accept: 'application/json, text/plain, */*',
  'content-type': 'application/json',
  date: 'Thu, 09 Sep 2021 20:57:25 GMT',
  authorization: 'Signature keyId="XXX",algorithm="hmac-sha256",headers="(request-target)",signature="0YaPbz9lAJ3trsJvWSRwCxTAf7h7/1NGSdK/5jY20Fw="',
  'user-agent': 'axios/0.21.4',
  'content-length': '2',
  host: 'localhost:xxxx',
  connection: 'close'
}
  BadSignatureError: Bad signature.

  - index.js?:57 eval
    [.]/[api-key-auth]/lib/index.js?:57:21

  - app.ts?:158 getSecret
    webpack://express/./app/app.ts?:158:16

  - index.js?:49 middleware
    [.]/[api-key-auth]/lib/index.js?:49:5

  - app.ts?:170 authCheck
    webpack://express/./app/app.ts?:170:41

  - app.ts?:147 eval
    webpack://express/./app/app.ts?:147:5

  - urlencoded.js:82 urlencodedParser
    [api]/[body-parser]/lib/types/urlencoded.js:82:7
weihsth commented

Update:
I used an own implemention now since this package seems dead.