Signature doesn't work when using spaces in url parameter

Question

I want to use an endpoint that uses an url parameter with spaces in it.
I have a function that generates an signature.

function generateSignature($request, $timestamp, $nonce)
{
Global $consumerKey, $accessToken, $consumerSecret, $tokenSecret, $realm, $signatureMethod, $version, $limit;
$baseparams = "";
$baseurl = strtok($request['url'], "?");
$base = strtoupper($request['method']) . "&" . urlencode($baseurl) . "&";
if(strpos($request['url'], '?') !== false){
    $url_components = parse_url($request['url']);
    parse_str($url_components['query'], $params);

    $paramnr = 0;
    foreach($params as $param => $value){
        $paramnr++;
        if($paramnr > 1){
            $baseparams .= "&".$param."=" . urlencode($value);
        }
        else{
            $baseparams .= $param."=" . urlencode($value);
        }
    }
    $trailingand = "&";
}
else{
    $trailingand = "";
}

echo $baseparams .= $trailingand
. "oauth_consumer_key=" . urlencode($consumerKey)
. "&oauth_nonce=" . urlencode($nonce)
. "&oauth_signature_method=" . urlencode($signatureMethod)
. "&oauth_timestamp=" . urlencode($timestamp)
. "&oauth_token=" . urlencode($accessToken)
. "&oauth_version=" . urlencode($version);
$base = $base.urlencode($baseparams);

$key = urlencode($consumerSecret) . '&' . urlencode($tokenSecret);
$signature = hash_hmac('sha256', $base, $key, true);
$signature = urlencode(base64_encode($signature));
return $signature;

}

My execute function:

function execute($options = array()){
    Global $consumerKey, $accessToken, $consumerSecret, $tokenSecret, $realm, $signatureMethod, $version;
    $curl = curl_init();
    echo $options['url'];
    curl_setopt_array($curl, array(
        CURLOPT_URL => $options['url'],
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_ENCODING => '',
        CURLOPT_MAXREDIRS => 10,
        CURLOPT_TIMEOUT => 0,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1
    ));
    $timestamp = round(microtime(true));
    $nonce = getNonce(11);

    $signature = generateSignature($options, $timestamp, $nonce);
    $authHeader = 'Authorization: OAuth realm="'.$realm.'",oauth_consumer_key="'.$consumerKey.'",oauth_token="'.$accessToken.'",oauth_signature_method="'.$signatureMethod.'",oauth_timestamp="'.$timestamp.'",oauth_nonce="'.$nonce.'",oauth_version="'.$version.'",oauth_signature="'.$signature.'"';
    curl_setopt( $curl, CURLOPT_CUSTOMREQUEST, strtoupper($options['method']) );
    curl_setopt($curl, CURLOPT_HTTPHEADER, array(
        $authHeader
    ));
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($curl, CURLINFO_HEADER_OUT, true);
    
    $response = curl_exec($curl);
    $array = json_decode($response, true);
    echo "<br/>".$responsecode = curl_getinfo($curl, CURLINFO_HTTP_CODE);

    if(curl_errno($curl)){
        return 'Curl error: ' . curl_error($curl);
    }
    else{
        return $array;
    }
    curl_close($curl);
}

This works fine when I have an url like this:

https://website.com/api/customer?limit=10 - WORKS

But the API also supports this:

https://website.com/api/customer?q=partner+EQUALS+10 - DOESNT WORK

When I put this URL into my function, it doesn't work and I get an 400 error instead.
My guess is that the signature is incorrect due to the spaces inside the url parameter.

How can I make this work with an url parameter that has spaces in it?
I already tried to use urlencode but that didnt work as well.

If it helps you out: I'm using the NETSUITE REST API for this.

Can someone help me plz...

space is not valid url i think .. you need encode url or replace spaces by _ char or something that, in JS you need encode parameter 'https://website.com/api/customer?q=' + encodeURIComponent('partner EQUALS 10') also in PHP you need encode/decode as well — daremachine, Dec 24 '21 at 15:14
@daremachine Decoding isn't needed with PHP with a GET request. — user3783243, Dec 24 '21 at 15:27
@JelleBotman `https://website.com/api/customer?q=partner EQUALS 10` is not an encoded URL. Please provide example of encoded URL that is failing for you. — user3783243, Dec 24 '21 at 15:28
@user3783243 `https://website.com/api/customer?q=partner+EQUALS+10` fails for me — TheRanger, Dec 24 '21 at 15:30
@JelleBotman `rawurlencode` should give `%20`, not `+` for a space encoding. — user3783243, Dec 24 '21 at 15:36
look at https://stackoverflow.com/questions/1634271/url-encoding-the-space-character-or-20 — daremachine, Dec 24 '21 at 15:49
Didnt helped me at all, need to know why my signature is incorrect. — TheRanger, Dec 24 '21 at 16:07

score 0 · Answer 1 · answered Dec 24 '21 at 15:19

0

When you make a req use encoded url insted of spaces.

https://website.com/api/customer?q=partner+EQUALS+10

this type will works for you

answered Dec 24 '21 at 15:19

Manish Dhiman

1
2

I hoped it was that easy but my signature is incorrect if the url has spaces, how can I make sure my signature is correct too? – TheRanger Dec 24 '21 at 15:29

Signature doesn't work when using spaces in url parameter

1 Answers1