2

My question is very similar to Translation from Python to JavaScript: HMAC-SHA256, however that question was never answered.

The following Python code produces the correct hash:

def sign_api_request(api_secret, api_key, method, url):
    encoded_url = urllib.parse.quote(url.lower(), '').lower()
    timestamp = int(time.time())print("timestamp: " + str(timestamp))
    nonce = str(uuid.uuid4())

    signature = api_key + method + encoded_url + str(timestamp) + nonce

    secret_bytes = base64.b64decode(api_secret)

    signature_bytes = signature.encode('UTF8')

    signature_hash = hmac.new(secret_bytes, signature_bytes, hashlib.sha256).digest()
    base64_signature_hash = base64.b64encode(signature_hash).decode()

    print(base64_signature_hash)

I'm trying to generate the same hash string using Javascript (as a Postman pre-request script). Here's what I've got:

function epochTime() {
    var d = new Date();
    var t = d.getTime();
    var o = t + "";
    return o.substring(0, 10);
}

function newGuid() {
    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) { var r = Math.random() * 16 | 0, v = c == 'x' ? r : r & 0x3 | 0x8; return v.toString(16); });
}

var uri_path = encodeURIComponent(request.url.toLowerCase()).toLowerCase();
var payload = uri_path; //.toLowerCase();

timestamp = epochTime();
nonce = newGuid();
signature = environment.api_key + "GET" + payload + timestamp + nonce;

secret_bytes = atob(environment.api_secret);

var hash = CryptoJS.HmacSHA256(signature, secret_bytes);
var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);
var sig = "amx " + environment.api_key + ":" + hashInBase64 + ":" + nonce + ":" + timestamp;
postman.setGlobalVariable("signature", sig);

If I use the same timestamp and nonce (by setting them explicitly rather than generating them at runtime) and the same api_key and api_secret (which are constant across calls) I expect to get the same value in sig (Javascript) as I do in base64_signature_hash (Python), however that's not the case.

I understand that this might be an encoding problem, but my js-fu is weak. Any ideas?

Edit to add: the method and url used for each are also the same.

Kyle G.
  • 870
  • 2
  • 10
  • 22

2 Answers2

1

Basically, there are two issues. First, in both Python and JS code secret_bytes should be base64 encoded string. Second, in JavaScript code secret_bytes was not correctly decoded from base64 string. Please find below corrected Python and JavaScript examples.

Python:

import hmac
import time
import uuid
import base64
import hashlib
import urllib.parse


def sign_api_request(api_secret, api_key, method, url):
    encoded_url = urllib.parse.quote(url.lower(), '').lower()
    # timestamp = int(time.time())
    # nonce = str(uuid.uuid4())
    timestamp = str(1569158586);
    nonce = '708b7df1-7494-49fa-812c-e5f6c24aeab6'

    signature = api_key + method + encoded_url + timestamp + nonce
    # print(signature)

    secret_bytes = base64.standard_b64decode(api_secret)
    # print(secret_bytes)

    signature_bytes = signature.encode('UTF8')

    signature_hash = hmac.new(secret_bytes, signature_bytes, hashlib.sha256).digest()
    base64_signature_hash = base64.b64encode(signature_hash).decode()
    return base64_signature_hash 


base64_signature_hash = sign_api_request('MTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2Nzg=', '0987654321', 'POST', '/signin')
print(base64_signature_hash)

JavaScript:

const CryptoJS = require('crypto-js');

function epochTime() {
    var d = new Date();
    var t = d.getTime();
    var o = t + "";
    return o.substring(0, 10);
}

function newGuid() {
    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) { var r = Math.random() * 16 | 0, v = c == 'x' ? r : r & 0x3 | 0x8; return v.toString(16); });
}

let api_secret = 'MTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2Nzg=';
let api_key = '0987654321';
let method = 'POST';
let url_path = '/signin';

let encoded_url = encodeURIComponent(url_path.toLowerCase()).toLowerCase();
let timestamp = '1569158586';
let nonce = '708b7df1-7494-49fa-812c-e5f6c24aeab6';

let signature = api_key + method + encoded_url + timestamp + nonce;
// console.log(signature);

let secret_bytes = new Buffer.from(api_secret, 'base64');
secret_bytes = secret_bytes.toString('ascii');
// console.log(secret_bytes);

let hash = CryptoJS.HmacSHA256(signature, secret_bytes);
let hashInBase64 = CryptoJS.enc.Base64.stringify(hash);
console.log(hashInBase64);

Output should be same for both:

1Hw92JPDJPFB3Je4MvwapODmn5S6KdIbvot3MAvg0jM=
mtasic85
  • 3,905
  • 2
  • 19
  • 28
0

Here is a good python to javascript translation

python sign-api-request

import hmac
import base64
import hashlib

SECRET_KEY = 'b7566b7c87365a970e64109f92bb7415719cca1a0fea04c196f7ca7a45cc64b4'
API_KEY = '/v1/users/me'

def sign_api_request(api_secret=SECRET_KEY, api_key=API_KEY):

    signature_hash = hmac.new(api_secret.encode(), api_key.encode(),  hashlib.sha512).digest()
    base64_signature_hash = base64.b64encode(signature_hash).decode()

    return base64_signature_hash

is equal to nodejs sign-api-request:

const CryptoJS = require('crypto-js');


SECRET_KEY = 'b7566b7c87365a970e64109f92bb7415719cca1a0fea04c196f7ca7a45cc64b4'
API_KEY = '/v1/users/me'

function sign_api_request(api_secret=SECRET_KEY, api_key=API_KEY) {
   return CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA512(api_key, api_secret));
}

console.log(sign_api_request())

npm install crypto-js

p8ul
  • 2,212
  • 19
  • 19