HTTP API KEYS and Sha512 - GameCreators Forum

Author

Message

Weave

AGK Bronze Backer

18

Years of Service

User Offline

Joined: 26th Sep 2006

Location:

Posted: 4th Oct 2016 02:01

Link

When calling a server I can get a response$ from a server with:-

+ Code Snippet

http = CreateHTTPConnection ( )
SetHTTPHost( http, "Awebsite.com", 1 ,"USER" , "PASSWORD" )
SendHTTPRequestASync( http, "/the page its on" )
while GetHTTPResponseReady(http) = 0
     Print( "Connecting..." )
     Sync()
 endwhile
 response$ = GetHTTPResponse(http)

CloseHTTPConnection(http)
DeleteHTTPConnection(http)

do
print(ScreenFPS())
print(response$)
sync
loop

Which is fine, but the API I am using then needs each call to it to be AUTHENTICATED as in the API help below:-

+ Code Snippet


Authentication is fulfilled by sending the following HTTP-titles:

Key - API-key, example: FAF816D16FFDFBD1D46EEF5D5B10D8A2

Sign - digital signature, POST-parameters (?param0=val0 & ...& nonce=1) signed by secret key through HMAC-SHA512

Parameter nonce (1 minimum to 2147483646 maximum) in succeeding request should exceed that in the previous one.

Question : is it possible to sign in to the non PUBLIC area of a sites API with AppGameKit considering the HMAC-Sha512 part of the advice?

I have tried putting my KEY and SECRET in the line:- SetHTTPHost( http, "website.com", 1 ,"KEY" , "SECRET" ) (also sha512 versions of them)

but the I cant confirm EXACTLY how I should word the SendHTTPRequestASync( http, "/the page its on" ) and its POST info command line to get a success=1 return nor where to correctly place the variable nonce so I can then increment it each call....so to no avail

Anybody help trying to log in to a secure area of an API from AppGameKit? OR is it that I need to use HMAC-Sha512 , or encode to it...or is it how the call line is constructed???

Thx

Back to top

Profile PM Website

Paul Johnston

TGC Developer

22

Years of Service

User Offline

Joined: 16th Nov 2002

Location: United Kingdom

Posted: 5th Oct 2016 16:18

Link

What that usually means for these types of APIs is that the POST data contains a variable that is a hash of the other variables. For example

+ Code Snippet

PostData$ = "var1=some data&var2=some more data&key=FAF816D16FFDFBD1D46EEF5D5B10D8A2&nonce=12345&sign="
Hash$ = SHA512("somedata"+"some more data"+"FAF816D16FFDFBD1D46EEF5D5B10D8A2"+"12345")
PostData$ = PostData$ + Hash$
SendHTTPRequestASync( http, "/the page its on", PostData$ )

The exact make up of the hash should be defined in their API spec, and usually contains a shared secret variable that isn't passed with the data, it may actually be the API key, in which case the example above shouldn't send it in the post data. Unfortunately AppGameKit doesn't come with an SHA512 function built in, I'll add one for the next version.

Back to top

Profile PM Email

Weave

AGK Bronze Backer

18

Years of Service

User Offline

Joined: 26th Sep 2006

Location:

Posted: 5th Oct 2016 17:41

Link

Awesome, thanks Paul, that's quite exciting a prospect to be able to sha512(things) from AppGameKit (!!!), and thanks for the response I am beginning to understand how and why the line is constructed and your contribution helps a lot, thanks.

Back to top

Profile PM Website

Phaelax

DBPro Master

21

Years of Service

User Offline

Joined: 16th Apr 2003

Location: Metropia

Posted: 7th Oct 2016 13:39

Link

Wouldn't that leave your API key visible?

"I like offending people, because I think people who get offended should be offended." - Linus Torvalds

Back to top

Profile PM Email Website

Weave

AGK Bronze Backer

18

Years of Service

User Offline

Joined: 26th Sep 2006

Location:

Posted: 20th Jul 2019 03:36

Link

Hello Paul, been a while but I thought I`d give this another go and see if I can make any progress. Was wondering if I could ask your advice based on the websites documentation:-

Quote: "Authentication:
Authenticated methods require the use of an api key and can only be accessed via the POST method.

Authentication Header
Authorization is performed by sending the following variables into the request authentication header:

API_PUBLIC_KEY + ':' + SIGNATURE + ':' + NONCE

Request Signature:
URI: The uri endpoint e.g. https://theirwebsite.com/api/public/GetCurrency?Symbol=BTC ( or /private/getbalance I assume as its for the private api)
API_PUBLIC_KEY: Your api key
POST_PARAMS: JSON post parameters (base64 encoded)
NONCE: Unique indicator for each request.
SIGNATURE: API_KEY + "POST" + URI + NONCE + POST_PARAMS signed by secret key according to HMAC-SHA512 method.

GetBalance POST

Description
Return information for a specific balance

Uri: https://theirwebsite.com/api/private/getbalance

Parameters:
Currency: The currency of the balance to return e.g. 'BTC' (required)"

The above is the only documentation given, I was wondering if this is possible and if you had any code advice based on this with regards the JSON(base64 encoded) part. I am thinking this
refers to the Parameters of the particular request perhaps ie like :

+ Code Snippet

String$=("Currency"+"="+"Btc")
POST_PARAMS =  StringToBase64( String$ )

Must NONCE increase by one each time I request or send it data?
Looking at their examples it looks very complex so any pointers much appreaciated

Many thanks

Back to top

Profile PM Website

Sorry your browser is not supported!

AppGameKit Classic Chat / HTTP API KEYS and Sha512