Git Product home page Git Product logo

oauth1-signer-ruby's Introduction

oauth1-signer-ruby

maintenance-status

Table of Contents

Overview

Zero dependency library for generating a Mastercard API compliant OAuth signature.

Compatibility

  • Ruby 2.5+
  • Truffle Ruby 1.0.0+

References

Versioning and Deprecation Policy

Usage

Prerequisites

Before using this library, you will need to set up a project in the Mastercard Developers Portal.

As part of this set up, you'll receive credentials for your app:

  • A consumer key (displayed on the Mastercard Developer Portal)
  • A private request signing key (matching the public certificate displayed on the Mastercard Developer Portal)

Adding the Library to Your Project 

gem install mastercard_oauth1_signer

Loading the Signing Key

The following code shows how to load the private key using OpenSSL:

require 'openssl'

is = File.binread("<insert PKCS#12 key file path>");
signing_key = OpenSSL::PKCS12.new(is, "<insert key password>").key;

Creating the OAuth Authorization Header

The method that does all the heavy lifting is Mastercard::OAuth.get_authorization_header. You can call into it directly and as long as you provide the correct parameters, it will return a string that you can add into your request's Authorization header.

require 'mastercard/oauth'

consumer_key = "<insert consumer key>";
uri = "https://sandbox.api.mastercard.com/service";
method = "POST";
payload = "Hello world!";
authHeader = Mastercard::OAuth.get_authorization_header(uri, method, payload, consumer_key, signing_key);

Integrating with OpenAPI Generator API Client Libraries

OpenAPI Generator generates API client libraries from OpenAPI Specs. It provides generators and library templates for supporting multiple languages and frameworks.

Generators currently supported:

ruby

OpenAPI Generator

Client libraries can be generated using the following command:

openapi-generator-cli generate -i openapi-spec.yaml -g ruby -o out

See also:

Callback method Typhoeus.before

The Authorization header can be hooked into before a request run:

config = OpenapiClient::Configuration.default
api_client = OpenapiClient::ApiClient.new
config.basePath = "https://sandbox.api.mastercard.com"
api_client.config = config

Typhoeus.before { |request|
  authHeader =
      Mastercard::OAuth.get_authorization_header request.url, request.options[:method],
                                     request.options[:body], consumer_key, signing_key.key
  request.options[:headers] = request.options[:headers].merge({'Authorization' => authHeader})
}
    
serviceApi = service.ServiceApi.new api_client

opts = {}
serviceApi.call opts
//

See also: https://rubydoc.info/github/typhoeus/typhoeus/frames/Typhoeus#before-class_method

oauth1-signer-ruby's People

Contributors

amasses avatar asahu05 avatar danny-gallagher avatar ech0s7r avatar jaaufauvre avatar joseph-neeraj avatar kkrauth avatar lurkshark avatar sandhuprabhjot avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

oauth1-signer-ruby's Issues

[BUG] ? OAuth Signature parameter failed verification. Acceptable signature base string

Bug Report Checklist

  • Have you provided a code sample to reproduce the issue?
  • Have you tested with the latest release to confirm the issue still exists?
  • Have you searched for related issues/PRs?
  • What's the actual output vs expected output?

Description
I do not know if this is a bug or documentation issue.

Following the documentation configuring MC API client, and making some changes to parts of the examples that are outdated I finally get a response from the server. But, I have not been able to pass further than the authentication part.

To Reproduce
Tested with the version mentioned in the docs.

I tried the code below using both sandbox and production information. None of the seem to work.

require 'mastercard/oauth'

config = MastercardMerchantClient::Configuration.default
# config.server_index = 1

api_client = MastercardMerchantClient::ApiClient.new(config)
merchant_client = MastercardMerchantClient::MerchantsApi.new(api_client)

# production
consumer_key = "xxxx" # production key
keystore_password = "xxxx" # production password

is = File.binread(File.join(Rails.root, "signing-key-file.p12")) # Load the signing key
signing_key = OpenSSL::PKCS12.new(is, keystore_password).key

# Add the interceptor code responsible for signing HTTP requests
Typhoeus::Config.verbose = true
Typhoeus.before { |request|
  authHeader = Mastercard::OAuth.get_authorization_header request.base_url,
                                              request.options[:method],
                                              request.options[:body],
                                              consumer_key,
                                              signing_key
  request.options[:headers] = request.options[:headers].merge({'Authorization' => authHeader})
}

# card_acceptor_id = 'C928456'
# result = merchant_client.get_merchant_by_card_acceptor_id(card_acceptor_id)
# p result
#
merchant_descriptor = "production merchant descriptor without spaces as stated in the docs"
result = merchant_client.get_merchants(merchant_descriptor)
p result

result = merchant_client.get_merchants(merchant_descriptor, match_type: "ExactMatch")
p result

results

ETHON: performed EASY effective_url=https://api.mastercard.com/merchant-identifier/merchants?merchant_descriptor=xxxxxxx&match_type=ExactMatch response_code=403 return_code=ok total_time=0.712274
/Users/xyz/lib/mastercard_merchant_client/lib/mastercard_merchant_client/api_client.rb:67:in `call_api': Error message: the server returns an error (MastercardMerchantClient::ApiError)
HTTP status code: 403
Response headers: {"Content-Type"=>"application/json", "Content-Length"=>"705", "correlation-id"=>"0.12a31302.1706299287.a84c3c", "Vary"=>"Accept-Encoding", "Date"=>"Fri, 26 Jan 2024 20:01:27 GMT", "Connection"=>"keep-alive", "X-MC-Correlation-ID"=>"0.12a31302.1706299287.a84c3c"}
Response body: {"Errors":{"Error":[{"Source":"Gateway","ReasonCode":"AUTHENTICATION_FAILED","Description":"OAuth Signature parameter failed verification. Acceptable signature base string: REDACTED","Recoverable":false,"Details":null}]}}

Expected behavior
I expect to be able to get a response from the server. In this case, the merchant's information.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here (OS, language version, etc..).

The APIs are approved in the developer portal:
image

Related issues/PRs
Has a similar issue/PR been reported/opened before?

No, I could not find any related PRs or Issues..

Suggest a fix/enhancement
If you can't fix the bug yourself, perhaps you can point to what might be causing the problem (line of code or commit), or simply make a suggestion.

Namespace `oauth.rb`

When the LOAD_PATH is configured for a Ruby application, the lib directory for the gems it depends on are added. This is done through Bundler.setup, but could be done through other means, too.

This gem provides a top-level oauth.rb, but so does https://github.com/oauth-xx/oauth-ruby/tree/main/lib. If these two gems are used synchronously in a Ruby project, the file that is included by:

require "oauth"

Is non-deterministic. It's either:

  1. This gem
  2. The oauth gem

Not only this, but your OAuth class will also clash with that gem's constant too.

I'd recommend:

  1. Changing the file path to lib/mastercard/oauth.rb
  2. Changing the constant to Mastercard::OAuth

Not able to install the package

Hello, performed a fresh install of Ruby. Then, directly typed : gem install mastercard_oauth1_signer.gem

I got following response:
ERROR: While executing gem … (ArgumentError)
“password” is not octal string

I cannot move forward

"Exception message: cannot load such file -- test/unit" in RubyMine

After the project is loaded in RubyMine 2020.2.3, running the tests gives:

Fail to load: .../oauth1-signer-ruby/tests/test_get_authorization_string.rb:1
      Exception message: cannot load such file -- test/unit
[".../oauth1-signer-ruby/tests/test_get_authorization_string.rb:2:in `require'", ".../oauth1-signer-ruby/tests/test_get_authorization_string.rb:2:in `<top (required)>'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:49:in `require'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:49:in `block in require_all_test_scripts'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:42:in `each'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:42:in `require_all_test_scripts'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:187:in `<main>'"]

Fail to load: .../oauth1-signer-ruby/tests/test_get_base_uri_string.rb:1
      Exception message: cannot load such file -- test/unit
[".../oauth1-signer-ruby/tests/test_get_base_uri_string.rb:2:in `require'", ".../oauth1-signer-ruby/tests/test_get_base_uri_string.rb:2:in `<top (required)>'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:49:in `require'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:49:in `block in require_all_test_scripts'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:42:in `each'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:42:in `require_all_test_scripts'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:187:in `<main>'"]

Fail to load: .../oauth1-signer-ruby/tests/test_get_body_hash.rb:1
      Exception message: cannot load such file -- test/unit
[".../oauth1-signer-ruby/tests/test_get_body_hash.rb:2:in `require'", ".../oauth1-signer-ruby/tests/test_get_body_hash.rb:2:in `<top (required)>'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:49:in `require'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:49:in `block in require_all_test_scripts'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:42:in `each'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:42:in `require_all_test_scripts'", "C:/Program Files/JetBrains/RubyMine 2020.2/plugins/ruby/rb/testing/runner/tunit_or_minitest_in_folder_runner.rb:187:in `<main>'"]

Missing unit tests for `OAuth.get_authorization_string`

Some tests we have in the other languages are missing in the Ruby library (see: test_get_authorization_string.rb).

Example (see: OAuthTest.cs):

[TestMethod]
public void TestGetBaseUriString_ShouldSupportRfcExamples()
{
    Assert.AreEqual("https://www.example.net:8080/", OAuth.GetBaseUriString("https://www.example.net:8080"));
    Assert.AreEqual("http://example.com/r%20v/X", OAuth.GetBaseUriString("http://EXAMPLE.COM:80/r%20v/X?id=123"));
}

[TestMethod]
public void TestGetBaseUriString_ShouldRemoveRedundantPorts()
{
    Assert.AreEqual("https://api.mastercard.com/test", OAuth.GetBaseUriString("https://api.mastercard.com:443/test?query=param"));
    Assert.AreEqual("http://api.mastercard.com/test", OAuth.GetBaseUriString("http://api.mastercard.com:80/test"));
    Assert.AreEqual("https://api.mastercard.com:17443/test", OAuth.GetBaseUriString("https://api.mastercard.com:17443/test?query=param"));
}

[TestMethod]
public void TestGetBaseUriString_ShouldRemoveFragments()
{
    Assert.AreEqual("https://api.mastercard.com/test", OAuth.GetBaseUriString("https://api.mastercard.com/test?query=param#fragment"));
}

[TestMethod]
public void TestGetBaseUriString_ShouldAddTrailingSlash()
{
    Assert.AreEqual("https://api.mastercard.com/", OAuth.GetBaseUriString("https://api.mastercard.com"));
}

[TestMethod]
public void TestGetBaseUriString_ShouldUseLowercaseSchemesAndHosts()
{
    Assert.AreEqual("https://api.mastercard.com/TEST", OAuth.GetBaseUriString("HTTPS://API.MASTERCARD.COM/TEST"));
}

Parameters should be sorted by name, using lexicographical byte value ordering

When I try using to make a request to: GET https://sandbox.api.mastercard.com/merchant-id/v2/merchant-ids?merchant_id=DOLIUMPTYLTDWELSHPOOLWA&type=ExactMatch I get the following error message:

{
    "Errors": {
        "Error": [
            {
                "Source": "Gateway",
                "ReasonCode": "AUTHENTICATION_FAILED",
                "Description": "OAuth signatures did not match. Acceptable signature base string: GET&https%3A%2F%2Fsandbox.api.mastercard.com%2Fmerchant-id%2Fv2%2Fmerchant-ids&merchant_id%3DDOLIUMPTYLTDWELSHPOOLWA%26oauth_body_hash%3D47DEQpj8HBSa%2B%2FTImW%2B5JCeuQeRkm5NMpJWZG3hSuFU%3D%26oauth_consumer_key%3Dz_YYEEo9YwCtYIRqGDnobV6FqVDKhNLAWuz14QpHeed66158%21a18d314c4d39418abb6fc9805ba4f2350000000000000000%26oauth_nonce%3DVapTQyuuC5z%26oauth_signature_method%3DRSA-SHA256%26oauth_timestamp%3D1619593827%26oauth_version%3D1.0%26type%3DExactMatch",
                "Recoverable": false,
                "Details": null
            }
        ]
    }
}

When I try to make a request using Postman I get the correct response 200 OK.

I notice that if I check Add empty parameters to signature in Postman I will also get 401 error.

I am wondering how I can overcome this problem?
I was assuming that I should pass something to payload argument of OAuth.get_authorization_header but not sure what?

[REQ] Minor fixes for code optimisation, fix nonce generation to be secure

Is your feature request related to a problem? Please describe.

While reviewing this code I have noted a few issues such as:

  • Inconsistent use of OpenSSL::Digest vs Digest
  • Unnecessary calls to convert Time to UTC before getting the UNIX timestamps
  • Insecure nonce generation

Describe the solution you'd like

These issues should be resolved - I will submit a PR for these issues.

Describe alternatives you've considered

There are no alternatives

Additional context

None

Authorization header created with spaces

Each parameter in the Authorization header is created with spaces between the paramenter name and its value, i.e.:

Authorization: OAuth oauth_body_hash = '+eoHI/e/(...)S0seIE=',oauth_consumer_key = 'q_zC8ga1(...)00000',oauth_nonce = 'sFJII80N',oauth_signature_method = 'RSA-SHA256',oauth_timestamp = '1556822180',oauth_version = '1.0',oauth_signature = 'PPn(...)Uo3D'

Spaces should be removed.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.