Invalid Session

Question

Invalid Session

seanlai opened this issue 6 years ago · 13 comments

Any more info on why a request is getting code:2000 Invalid Session error? Signing is correct in X-Auth.

Answer 1 · 2019-08-08T06:41:52.000Z

can u try this example

Signing a request to get a hashpower order book
URL: https://api2.nicehash.com/main/api/v2/hashpower/orderBook ?algorithm=X16R&page=0&size=100
HTTP method: GET
API Key: 4ebd366d-76f4-4400-a3b6-e51515d054d6 (received when API Key is generated at API Keys)
API Secret: fd8a1652-728b-42fe-82b8-f623e56da8850750f5bf-ce66-4ca7-8b84-93651abc723b (received when API Key is generated at API Keys)
X-Time: 1543597115712 (current UTC time in ms)
X-Organization-ID: da41b3bc-3d0b-4226-b7ea-aee73f94a518 (organization ID)
X-Nonce: 9675d0f8-1325-484b-9594-c9d6d3268890 (generate some random string, for example: UUID.randomUUID().toString(), must be different each time you sign a request)

Input for signing:
4ebd366d-76f4-4400-a3b6-e51515d054d6⊠1543597115712⊠9675d0f8-1325-484b-9594-c9d6d3268890⊠⊠da41b3bc-3d0b-4226-b7ea-aee73f94a518⊠⊠GET⊠/main/api/v2/hashpower/orderBook⊠algorithm=X16R&page=0&size=100

Signature is generated via HMAC-SHA256 (input, API_SECRET): 
21e6a16f6eb34ac476d59f969f548b47fffe3fea318d9c99e77fc710d2fed798

Add header: 
X-Auth: API_KEY:SIGNATURE -> 4ebd366d-76f4-4400-a3b6-e51515d054d6:21e6a16f6eb34ac476d59f969f548b47fffe3fea318d9c99e77fc710d2fed798

Answer 2 · 2019-08-09T12:51:25.000Z

Can you give an expected signature output example for a POST request with json payload?

Answer 3 · 2019-08-09T13:25:28.000Z

example for POST endpoint

organization: bcd95480-a224-419f-94c0-6d83c9dd2f71
secret: 58068f31-b22b-432b-ba10-2704e174121d41990cdd-6485-4492-a659-1c2040c0d9a6
key: 1ab99dc2-f24b-4d16-a245-3ce80234d075
time: 1565356888714
nonce: 5642a742-a594-4332-ecef-8acb296a3523
method: POST
path: /api/v2/profile/meta
query: 
body: {"meta": "data"}

content: 1ab99dc2-f24b-4d16-a245-3ce80234d075⊠1565356888714⊠5642a742-a594-4332-ecef-8acb296a3523⊠⊠bcd95480-a224-419f-94c0-6d83c9dd2f71⊠⊠POST⊠/api/v2/profile/meta⊠⊠{"meta": "data"}

digest: d9df9e6725fbbfd4bab619fae477908106c70c9655b192b96f79c8a438c7d000
X-Auth: 1ab99dc2-f24b-4d16-a245-3ce80234d075:d9df9e6725fbbfd4bab619fae477908106c70c9655b192b96f79c8a438c7d000

Answer 4 · 2019-08-12T15:35:38.000Z

I can get orderBook endpoint working, but myOrders kept giving me invalid session. Is it due to one being public endpoint and one is private?

Any way to find more info on what caused the Invalid Session error? I already generated new UUID for X-Nonce and another new UUID for X-Request-Id. I use X-Time obtain from the nicehash time endpoint. Anything else that could cause Invalid Session?

Answer 5 · 2019-08-12T16:14:57.000Z

invalid session means that X-Auth key cannot be tied to active session ...

request-id is only requred (for now) for creating and updating HP orders ... so for myorders X-Request-Id is NOT required

as for X-Time if it differ too much form server time u will recive
SESSION_TIME_SKEW(2001, "Session Time skew detected", HttpStatus.UNAUTHORIZED),

as for duplicate nonce
SESSION_NONCE_SKEW(2002, "Session Nonce skew detected", HttpStatus.UNAUTHORIZED),

if session is expired
SESSION_EXPIRED(2003, "Session expired", HttpStatus.UNAUTHORIZED),

here is example for that call:

organization: 3cd95480-a224-419f-94c0-6d83c9dd2f71
secret: 18068f31-b22b-432b-ba10-2704e174121d41990cdd-6485-4492-a659-1c2040c0d9a6
key: 2ab99dc2-f24b-4d16-a245-3ce80234d075
time: 1565626394605
nonce: 80e4854c-d8ac-4a82-87a7-fb9496812114
method: GET
path: /main/api/v2/hashpower/myOrders
query: op=LE&limit=100&ts=1553496393130
body: 

content: 2ab99dc2-f24b-4d16-a245-3ce80234d075⊠1565626394605⊠80e4854c-d8ac-4a82-87a7-fb9496812114⊠⊠3cd95480-a224-419f-94c0-6d83c9dd2f71⊠⊠GET⊠/main/api/v2/hashpower/myOrders⊠op=LE&limit=100&ts=1553496393130

digest: b9940731a59b9dfe848ffd5d2a9cbdf09fe5e9475428f6a1b70db1e2e7e67fd9
X-Auth: 2ab99dc2-f24b-4d16-a245-3ce80234d075:b9940731a59b9dfe848ffd5d2a9cbdf09fe5e9475428f6a1b70db1e2e7e67fd9

Answer 6 · 2019-08-12T17:57:11.000Z

I am able to create the exact same digest as the examples you provided, but when I send in the request, I am still getting invalid session, does that mean the headers are incorrect? I passed the same nonce, timestamp and organization in the headers to generate X-Auth... anything else is needed for generating an active session?

Also, does the order of the params in the query matter? ie. if ts is before op, the digest will be different.

Answer 7 · 2019-08-12T18:55:31.000Z

The order of the params matter. That solved my issue. Thanks for your help!

Answer 8 · 2019-09-10T01:49:10.000Z

as for X-Time if it differ too much form server time u will recive
SESSION_TIME_SKEW(2001, "Session Time skew detected", HttpStatus.UNAUTHORIZED),

What is the time on the server since GMT is an error, local time is also an error.

Answer 9 · 2019-09-18T17:29:56.000Z

it doesn't relay matters .. just get server time, calculate diff to your local time and use this diff on next requests .. or get server time for each set of api calls

but i think it is .. GMT+02:00 DST

Answer 10 · 2020-04-01T21:23:09.000Z

@bl4z My method is actually getting to the same signature you are.... and when I make a request I still get invalid session.

Instead of trying to prove us we are doing something wrong... maybe you should point us to the right direction.

Lack of documentation and shady data floats around NH. Just like that "hack" ...

Answer 11 · 2020-04-02T07:07:03.000Z

i cannot directly test your parameters and results due fact that ill get time skew error as well
at the moment i can think of some test console for API calls with editable parameters and detailed outputs of content, digest and x-auth param .. we will prepare something like that so it will be possible to compare results and make calls against test environment

Answer 12 · 2020-04-02T07:16:02.000Z

in the mean time - this script implements interaction with new NH platform

https://github.com/nicehash/rest-clients-demo/wiki/php-demo

Answer 13 · 2021-08-23T09:44:09.000Z

What is meant with "⊠" is it the separator? How can I implement it? Is it just \x00. Because my Session is always invalid too. I create the content like this:

message = bytearray(api_key, 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray(str(xtime), 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray(xnonce, 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray(org_id, 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray("POST", 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray("/main/api/v2/mining/rigs/status2", 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray('\x00', 'utf-8')
message += bytearray(str({"rigId": rig_id, "action": "START"}), 'utf-8')

HMAC_signature = hmac.new(bytearray(api_secret, 'utf-8'), message, sha256).hexdigest()