2

(What I'm ultimately trying to accomplish is to look up individual products on Walmart.com using product codes, so if anyone has another way of doing that, that works too)

Walmart.io's Product Lookup API requires a header called "WM_SEC.AUTH_SIGNATURE", but I can't figure out how to generate it using Ruby. Some Java code is given here (I'm not sure about the legality of reproducing that code here) but I don't know Java so I don't understand what they're doing.

This SO question tries to explain the process, but again I'm not clear on exactly what's being done.

To get the digital signature using your own code, follow these steps:

  1. Get the Consumer ID and your Base 64-encoded Private Key you generated in Seller Center.

  2. Get the full URL you wish to call, including any path and query parameters.

  3. Use the GET method to construct an input for the digital signature.

  4. Use the structure listed below: The Consumer ID issued to you_ + "\n" + the URL of the API call you are making + "\n" + the request method of the API call you are making in all capitals + "\n" + the Unix Epoch timestamp now (in milliseconds since Jan 01 1970 UTC) + "\n" ** Note: The order of the parameters and the line returns \n are important to generate the signature properly

Generate the byte array of the structured data listed in step 3 using the following steps:

a. Decode the byte array with Base-64.

b. Encode the resulting value using PKCS#8 to represent your Private Key. Libraries in various languages offer the ability to identify that the Private Key is in PKCS#8 format and not in other conflicting formats such as PKCS#1.

c. Use this byte representation of your private key to sign the data using SHA-256 with RSA.

d. Encode the generated digital signature using Base-64.

Use the generated digital signature and the timestamp to make your API call.

I've gotten as far as this:

time = DateTime.now.strftime('%Q')
customerid = "customerid"
link = "https://developer.api.walmart.com/api-proxy/service/affil/product/v2/items/4837473"
method = "POST"
uncoded = customerid + "\n" + link + "\n" + method + "\n" + time + "\n"
encoded = Base64.encode64(uncoded)
privatekey = "longrsakey"

But I don't know how to continue. Do I have to encode my privatekey into PKCS#8 and then use the result to encode my encoded? I can't even find a PKCS#8 encoder in Ruby.

Can anyone help?

Community
  • 1
  • 1
Joe Morano
  • 1,715
  • 10
  • 50
  • 114

1 Answers1

1

Here is how you can create the signature needed to make the request, assuming you are trying to access the affiliate API:

version = 'YOUR VERSION'
consumer_id = "YOUR CONSUMER ID"
time_stamp = (Time.now.to_i * 1000).to_s
p_key = "YOUR PRIVATE KEY"
digest = OpenSSL::Digest.new('sha256')

data = consumer_id + "\n" + time_stamp + "\n" + version + "\n"

k = OpenSSL::PKey::RSA.new(p_key.to_s)
digest = OpenSSL::Digest::SHA256.new
signature = k.sign(digest,data)
signature = Base64.strict_encode64(signature)

headers = {
  "WM_SEC.KEY_VERSION": version,
  "WM_CONSUMER.ID": consumer_id,
  "WM_CONSUMER.INTIMESTAMP": time_stamp,
  "WM_SEC.AUTH_SIGNATURE": signature
}

puts HTTParty.get("https://developer.api.walmart.com/api-proxy/service/affil/product/v2/taxonomy", headers: headers).parsed_response
ricks
  • 3,154
  • 31
  • 51
  • 1
    Thank you! This saved me lots of time. A few notes: *This line didn't seem necessary. digest = OpenSSL::Digest.new('sha256') * "YOUR PRIVATE KEY" needs to include the "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" – Ian Shields Jun 18 '22 at 16:59