Skip to content

Issues with validating API keys #7

@ZandercraftGames

Description

@ZandercraftGames

When I attempt to authenticate with my API using the API key and secret that I have set, it throws the following error no matter what url path I attempt to connect to.

<pre>MissingRequiredHeadersError: Missing required HTTP headers : authorization.<br> &nbsp; &nbsp;at Object.parseRequest (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\api-key-auth\lib\parser.js:31:13)<br> &nbsp; &nbsp;at middleware (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\api-key-auth\lib\index.js:42:32)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:317:13)<br> &nbsp; &nbsp;at C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at jsonParser (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\body-parser\lib\types\json.js:110:7)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:317:13)<br> &nbsp; &nbsp;at C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at urlencodedParser (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\body-parser\lib\types\urlencoded.js:91:7)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:317:13)</pre>

Activity

ZandercraftGames

ZandercraftGames commented on Feb 8, 2020

@ZandercraftGames
Author
arkerone

arkerone commented on Feb 8, 2020

@arkerone
Owner

What's the request from the client to your API?

ZandercraftGames

ZandercraftGames commented on Feb 8, 2020

@ZandercraftGames
Author

image
I am new to API creation, so I apologise in advance for my lack of knowledge in the field.
P.S. The API key and secret are going to be changed before being put into production.

arkerone

arkerone commented on Feb 8, 2020

@arkerone
Owner

It's not the right way, look the documentation https://github.com/arkerone/api-key-auth/blob/master/signature.md

ZandercraftGames

ZandercraftGames commented on Feb 8, 2020

@ZandercraftGames
Author

I read it, but I dont fully understand it. Give me a moment, I will re-read it.

ZandercraftGames

ZandercraftGames commented on Feb 8, 2020

@ZandercraftGames
Author

Im not seeing much other than the fact it says I have to use an encrypted signature in either hmac-sha1, hmac-sha256, or hmac-sha512 in the following format:

Authorization: Signature keyId="API_KEY",algorithm="hmac-sha256",headers="(request-target) host date digest content-length",signature="Base64(HMAC-SHA256(signing string))"
ZandercraftGames

ZandercraftGames commented on Feb 8, 2020

@ZandercraftGames
Author

But how do I create a signature based on the instructions in "Signature creation", and how does it tie into the API key system of the following:
image

sookoll

sookoll commented on Apr 6, 2020

@sookoll

I'm agree with @ZandercraftGames that documentation is lacking on how to create Authorization header. There is information what it should contain, but how to create one, is missing. @arkerone perhaps You can update documentation with some straightforward guide or example?

ZandercraftGames

ZandercraftGames commented on Apr 6, 2020

@ZandercraftGames
Author

@sookoll Yeah, I literally just gave up and haven't really touched this since my last comment here. I just accepted the fact that I wouldn't get any form of straight-forward help here (at the time of posting). 🤷‍♂

arkerone

arkerone commented on Apr 6, 2020

@arkerone
Owner

@sookoll The documentation about the creation of the signature is here : https://github.com/arkerone/api-key-auth/blob/master/signature.md
I describe the part of the authorization header.

@ZandercraftGames You don't use the library properly. You must create the authorization header like the link above and send the header in the "Headers" tab on Postman if you want to test it.
In order you must :

  • Create the signature string,
  • Use the algorithm in the following list hmac-sha1, hmac-sha256 or hmac-sha512 to generate a digital signature of the signature string,
  • Encode the result of the digital signature in base64.

image

I think if you are new in API creation this libary is a bit to hard for you. You have to be comfortable with HTTP protocol and the use of headers to use this library.

I will create a client side library to simplify the use of this library.

ZandercraftGames

ZandercraftGames commented on Apr 8, 2020

@ZandercraftGames
Author

@arkerone Thank you for your response. I will try it the way you have described. 😄

arkerone

arkerone commented on Apr 27, 2020

@arkerone
Owner

@ZandercraftGames It's ok for you?

ghost

ghost commented on Jun 3, 2020

@ghost

can you provide an example of constructing the header?

marquitobb

marquitobb commented on Jul 15, 2020

@marquitobb

help me please

mcnaveen

mcnaveen commented on Sep 13, 2020

@mcnaveen

Facing "MissingRequiredHeadersError: Missing required HTTP headers : authorization."

image

DannnB

DannnB commented on Mar 30, 2021

@DannnB

This might help give a guide with the Signature process in postman:
I'm only just trying to use this package right now so don't take my code for production.

The comments in the image should explain the process that https://github.com/arkerone/api-key-auth/blob/master/signature.md explains
image

@arkerone did you get anywhere with the "client-side library"? Is the code above the best practice for using api-key-auth? This would then be moved over to something like Axios. How would you hide the secret on the client app?

Thanks for any help you can give! I'm new to doing this type of auth for express

Postman "Pre-request script"

const apiKey = "847210567175011568915"
const apiSecretKey = "awdoi82th2t9h02t4h0gw0jigq"

const request_settings = {
    method: pm.request.method.toLowerCase(),
    uri: `/${pm.request.url.path.reduce((prevVal, currVal, idx) => idx == 0 ? currVal : prevVal + '/' + currVal, '')}`
}
const signatureRawData = `(request-target): ${request_settings.method} ${request_settings.uri}`
const signature = CryptoJS.enc.Utf8.parse(signatureRawData);

// Create the signature string
const secretByteArray = apiSecretKey;
// Use the algorithm in the following list hmac-sha1, hmac-sha256 or hmac-sha512 to generate a digital signature of the signature string
const signatureBytes = CryptoJS.HmacSHA256(signature,apiSecretKey);
// Encode the result of the digital signature in base64.
const requestSignatureBase64String = CryptoJS.enc.Base64.stringify(signatureBytes);

// create the value for the  "Authorization" header
const signatureValue = `Signature keyId="${apiKey}",algorithm="hmac-sha256",headers="(request-target)",signature="${requestSignatureBase64String}"`

// set it in a environment variable 
pm.environment.set("signature", signatureValue);

// This will show your created "Authorization" header value i nthe postman console
console.log(signatureValue)
arkerone

arkerone commented on Apr 2, 2021

@arkerone
Owner

@DannnB your code looks good ! Unfortunately, I don't have anytime to create a lib for the client side. Don't use it for a "browser" authentication, this auth method must be used only to authenticated a service (server to server). To hide the secret you have severals solutions, you can save the secret on the environment variable or use a service like hashicorp vault or aws secrets manager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @sookoll@DannnB@mcnaveen@PanagiotisCY@arkerone

        Issue actions

          Issues with validating API keys · Issue #7 · arkerone/api-key-auth