ShopSite Forums

[Jim]

I believe the version number should be the number you find in the download pulldown when you do a manual download. So for 11 r1.1 it would be 11.0 as you have it configured.

I don't know anything about the "URL and query string " question.

[loren_d_c]

version should be "11.0" for that version of ShopSite.

Regarding the signature in the post-authorization requests, it should actually be a string in MAC format, then encrypted with the key, then MAC encoded. See the example MAC token at:

http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02#section-1.1

So basically, all of this in a string:

token
timestamp
nonce
<---- this line intentionally left blank
POST
yourdomain.com
80 (or 443 if your connection is secure)
/path/to/sc/db_xml.cgi
name1=value1
name2=value2
name3=value3


etc, for as many name=value pairs that you have. And the name=value pairs have to be sorted alphabetically (ascending). Note that you don't include the token, timestamp, and nonce as name=value parameters in the MAC string.

Once you have this MAC, then you can encrypt it with the key and base64 encode it. Then tack it onto the query data along with the token, timestamp, and nonce parameters.

What happens when the server receives this request is that the server creates a MAC string the same way you did with the values you provided it (and it gets the host, port, and resource path from environment variables, so these have to be correct too), then it compares your signature against the signature it creates from its MAC string. If they match, you are authenticated and you should start getting data.

-Loren

[loren_d_c]

I should also mention that the names and values in the name=value pairs in your MAC string should to be % encoded. See the spec at the URL in my last post to see what characters have to be encoded. The server will % decode then % encode the names and values when creating its verification MAC, so if you don't encode and you have characters that should have been encoded, then your signature will not match the verification signature generated by the server.

-Loren

[abbaroo]

OK, I saw something like that in the C code example, so I created the following string:

MTMyMDQ1Nzg1OXx3ZWxsN(a bunch removed for security)==
1320457829
503bb763

POST
slate.secure-host.com
443
/cgi-wellnesscenter/sb/db_xml.cgi
clientApp=1
dbname=order
pay=no_cvv
version=11.0

Which I then used to create the signature via the following code:

Code: Select all

// now download the order information
$download_nonce = "503bb763";
$access_token = $auth_vals["access_token"];
$order_url = $auth_vals["download_url"];
$timestamp = time();

$order_message = "clientApp=1&dbname=orders&version=11.0";
$order_message .= "&pay=no_cvv";
$order_message .= "&token=" . $access_token;
$order_message .= "&timestamp=" . $timestamp;
$order_message .= "&nonce=" . $download_nonce;

$order_buffer = "$access_token\n";
$order_buffer .= "$timestamp\n";
$order_buffer .= "$download_nonce\n\n";
$order_buffer .= "POST\n";
$order_buffer .= "slate.secure-host.com\n";
$order_buffer .= "443\n";
$order_buffer .= "/cgi-wellnesscenter/sb/db_xml.cgi\n";
$order_buffer .= "clientApp=1\n";
$order_buffer .= "dbname=order\n";
$order_buffer .= "pay=no_cvv\n";
$order_buffer .= "version=11.0\n";

$order_hash = hash_hmac('sha1', $order_buffer, $secret_key, true);
$download_sig = base64_encode($order_hash);

$order_message .= "&signature=" . $download_sig;

// now do all the curl stuff as before
...
curl_setopt($ch, CURLOPT_POSTFIELDS, $order_message);
...


I still get the same error: access_denied, client and server signatures do not match. I read about the encoding, but I'm not sure if the newline characters ('\n') or equals signs need to be encoded as % notation. I tried putting them through url_encode() or rawurl_encode() and I still got the access denied message.

[abbaroo]

Does anybody have any answers to my last post? Please.

[loren_d_c]

No, the whole MAC digest doesn't need to be URL encoded, your newlines and equal signs are fine. Only the names and values in the name=value pairs at the end of the digest need to be encoded, if they have any odd characters (it's unlikely that they would in most ShopSite cases, unless you were downloading orders by a specific date, in which case the slashes in the date value might need to be encoded).

Your code looks good to me, but it's hard to tell from just that. Like I said before, the server-side routine will try creating it's own MAC and see if it matches, and it uses webserver environment variables to get the host name, port number, and cgi URL that it uses to create it's MAC, so you want to make sure that the values you use in your MAC are really the hostname, port, and CGI URL that you are using when you make the curl call.

I also noted that your nonce is hardcoded. I am not sure if that makes a difference or not, but it's not very random. In my code I just used:
$nonce2 = mt_rand(10000000,99999999);
to generate a random 8-digit number.

Also, note that the authorization token provided by authorize.cgi is only valid for 30 seconds, so hopefully your download request using that token is taking place right after it was received.

In my php code that was successful I went the socket route instead of curl. I can send you a copy of it (still very rough), if you would like, but note that it is only good for non-SSL requests. Using curl routines is probably still better for SSL because it has all the SSL communication stuff built-in.

-Loren