Re: HTTP request with header parameter and hmac sha512

Posted Sat, 04 Nov 2017 07:54:57 GMT in reply to Erdemdem

On Fri, 03 Nov 2017 23:15:38 GMT, Erdemdem wrote:

Hi

I am really enjoying making web requests and doing async operations with vibe.d.

But now I need to make a web request given a description and PHP example(https://bittrex.com/home/api) :

For this version, we use a standard HMAC-SHA512 signing. >Append apikey and nonce to your request and calculate the >HMAC hash and include it under an apisign header. Note: the nonce is not respected right now but will be enforced later.

(...)

My code is not working and I am getting an exception like :

"Error: Expected valid JSON token, got '<!DOCTYPE HT'."

I am suspicious about three things :

1 - If string nonce = Clock.currTime().toString(); correct or not
if not how should I set the time?

Usually a nonce should be generated with a cryptographic RNG, such as vibe.crypto.cryptorand.systemRNG(), but to make the code equivalent with the PHP version it should be Clock.currTime(UTC()).toUnixTime.to!string. The question is what the API accepts here - decimal number, hex number, or an arbitrary string.

2 - If char[] generatedHmacStr = cast(char[])generatedHmac[0..generatedHmac.length]; step correct or not

The PHP version generates a hex string AFAICS. In this case, string generatedHmacStr = std.digest.toHexString(generatedHmac) should do the same thing.

3 - If req.headers["apisign"] = generatedHmacStr.idup; step correct or not.

In this particular case, a cast(string) could be used, because requestHTTP is guaranteed to not leak/escape the values that are passed to it. However, using .idup is generally the safe choice and will only have a performance impact in high-load scenarios.

I'd also check res.statusCode in the response handler, because it seems like the server sends back HTML instead of JSON in case of (certain?) errors. Maybe the response actually contains helpful information for further debugging.