Invalid Signature

[Sylv3stR]

Hi

anyone using this code ? it gives Invalid Signature any advice what could I do wrong ?

[daveisnt]

I have the "Invalid Signature" problem too. I've tried with a different code base and got the same response. I can make the Bricklink API work with Postman, but not with PHP. Argh!

[wouterslager]

I got the same problem, but I got it to work eventually. It required some changes in the parameters of the example code given.

I'm using this to get a list of inventory:

$response = $BricklinkApi->request('GET', '/inventories', array('item_type'=>$item_type,'status'=>'Y'))->execute();

where $item_type is "part" for example.

[daveisnt]

Thanks for the tip and the code snippet. I still get Invalid Signature (using your code), which leads me to think that maybe it's something that my hosting provider is doing to block or deform the request :/

[nicmare]

same problem here. here is a helpful article about verifying signatures in oauth. i checked everything. key, token and timestamp are correct. still getting invalid signature. any solutions?

[daveisnt]

I did fix it eventually... and I do mean eventually. It's been about a year now so I can't remember exactly what had me stuck, but I think it was an inconsistency with the algorithm where there was a single "&" character that should NOT be encoded, while every other one IS encoded.

Here is a snippet of the PHP code that worked for me:

$key = rawurlencode(ConsumerSecret).'&'.rawurlencode(TokenSecret);
$parameters = [
'oauth_consumer_key' => rawurlencode(ConsumerKey),
'oauth_nonce' => rawurlencode($nonce),
'oauth_signature_method' => rawurlencode($signatureMethod),
'oauth_timestamp' => rawurlencode($timestamp),
'oauth_token' => rawurlencode(TokenValue),
'oauth_version' => rawurlencode($version),
'guide_type' => $guide_type,
'new_or_used' => $condition
];
ksort($parameters);
$parameterString = http_build_query($parameters);
$base = $method.'&'.rawurlencode(urlBase.$url).'&'.rawurlencode($parameterString);
$signature = base64_encode(hash_hmac('sha1', $base, $key, true));
$authHeader = 'Authorization: OAuth oauth_consumer_key="'.ConsumerKey.'",oauth_nonce="'.$nonce.'",oauth_signature_method="'.$signatureMethod.'",oauth_timestamp="'.$timestamp.'",oauth_token="'.TokenValue.'",oauth_version="'.$version.'",oauth_signature="'.rawurlencode($signature).'"';
return $authHeader;

[nicmare]

thanks dave. afaik this is a completely different code and does not use the current class. but i also do not see a significant difference in code. the class also uses "rawurlencode". but i will dig into code further more to look for that "&".

[nicmare]

Finally found the problem. Spelling mistake in readme which is already reported in this issue damn it! unbelievable i did not notice so long.

[texasade]

@daveisnt
I am also having the Signature invalid error:

{"meta":{"description":"SIGNATURE_INVALID: Invalid Signature","message":"BAD_OAUTH_REQUEST","code":401}}

I have very similar code to your example except the $authHeader section, as I am trying to access the Bricklink API via the URL passing the vars in the URL (GET)

I'm pretty sure the signature I am generating is correct. I have been banging my head against a brick wall now for days with this.

Would you or anyone else be able to help out?

Heres the code I have, key/values have been changed.

$consumer_key="AAAA";
$consumer_secret="BBBB";
$token_value="CCCC";
$token_secret="DDDD";

$signature_method="HMAC-SHA1";
$version="1.0";
$nonce=chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57)).chr(rand(48,57));
$base_url="https://api.bricklink.com/api/store/v1/";
$request_url="orders?direction=in";
$method="GET";
$params="oauth_consumer_key=$consumer_key&oauth_nonce=$nonce&oauth_signature_method=HMAC-SHA1&oauth_timestamp=".time()."&oauth_token=$token_value&oauth_version=1.0";

$params2='"oauth_consumer_key":"'.rawurlencode($consumer_key).'","oauth_nonce":"'.rawurlencode($nonce).'","oauth_signature_method":"'.rawurlencode($signature_method).'","oauth_timestamp":"'.rawurlencode(time()).'","oauth_token":"'.rawurlencode($token_value).'","oauth_version":"'.rawurlencode($version).'"';

$key = rawurlencode($consumer_secret).'&'.rawurlencode($token_secret);
$base=$method.'&'.rawurlencode($base_url.$request_url).'&'.rawurlencode($params);

$signature = base64_encode(hash_hmac( 'sha1', $base, $key,true ));

$oauth_siganture='"oauth_signature":"'.$signature.'",';
$to_encode="{".($oauth_siganture.$params2)."}";

echo"<a href=\"$base_url$request_url&Authorization=".rawurlencode("$to_encode")."\" TARGET=\"NEW\">link test</a>";

[nicmare]

why you build your own signature? the script does it for you:

require_once dirname(__FILE__).'/PHPBricklinkAPI/autoload.php';
$BricklinkApi = new PHPBricklinkApi\BricklinkAPI([
        'tokenValue' => BL_TOKEN_VALUE,
        'tokenSecret' => BL_TOKEN_SECRET,
        'consumerKey' => "xxx",
        'consumerSecret' => "xxx"
]);
$request = $BricklinkApi->request("GET", "/items/set/".$setno)->execute();

thats all i have and need.