3

I am trying to call a Rest API (Logic Monitor API), that requires Token Authentication from the client side. But the authentication requires a signature, that is made up of Access ID, a base64 encoded HMAC signature based on the API Token access key and a Timestamp.

Ref: https://www.logicmonitor.com/support/rest-api-developers-guide/overview/using-logicmonitors-rest-api

The only example I found was in Node JS which imports modules like Crypto and request. Since I am trying to do it from the client-end, I will not be able to use Node JS. I tried using javaScript libraries like Crypto-JS CDN: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.js", but it didn't work.

Below is my Javascript code:

var accessId = '12312312312';
var accessKey = '12324566767';
var company = 'api'

// Request Details
var httpVerb = "GET";
var epoch = (new Date).getTime();
var resourcePath = "/device/groups";

// Construct signature 
var requestVars = httpVerb + epoch + resourcePath;
var hash = CryptoJS.HmacSHA256(requestVars, accessKey);
var signature = btoa(hash);

var auth = "LMv1 " + accessId + ":" + signature + ":" + epoch;
console.log(auth);

 $.ajax({
url: 'https://' + company + '.logicmonitor.com/santaba/rest' + resourcePath,
headers: {
    'Content-Type': 'application/json',
    'Authorization': auth
},
type: "GET",
dataType: "json",
data: {},
success: function(result) {
    console.log(result);
},
error: function(error) {
    console.log(error);
}
});

Update 1: The Node JS example has the header set as below:

var options = 
    {
      "method" : httpVerb,
            "uri" : "https://" + company + ".logicmonitor.com/santaba/rest" + resourcePath,
            "headers": {
                'ContentType' : 'application/json',
                'Authorization': auth //formed by the crypto authentication
              } 
    };

// Make request
request(options, function (error, response, body) {
        if (!error && response.statusCode == 200) {
           // Print out the response body
           console.log(body)
         }
     });
But since the request package provided by node forms the API request, I am unable to figure out how can I frame the request from my client-end javascript. Note:- The access credentials can be on the client-side as this will be an inhouse application.
Henke
  • 4,445
  • 3
  • 31
  • 44
Gaurav Thantry
  • 753
  • 13
  • 30
  • Does this answer your question? [Using JavaScript to properly sign a string using HmacSHA256](https://stackoverflow.com/questions/35228114/using-javascript-to-properly-sign-a-string-using-hmacsha256). See [CryptoJS](https://code.google.com/archive/p/crypto-js). – Martin Zeitler Sep 28 '20 at 23:15
  • Beside that, you still could have your own micro-service (which acts as a proxy for that API), in order **NOT** to disclose access credentials to the client-side (which is rather an issue than hmacSHA256). Your example is invalid, because it generates `auth`, but it never sets it as `Authorization` header. – Martin Zeitler Sep 28 '20 at 23:25
  • Hi @MartinZeitler, Thank you for your reply. I am still trying to get my head around what hash_func is, in the javascript reply of the question that you recommended for me. Please have a look at the update that I have provided in my question. – Gaurav Thantry Sep 28 '20 at 23:37

0 Answers0