Announcement

Collapse
No announcement yet.

Invalid API signature when creating a new user

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Invalid API signature when creating a new user

    The call to api.init generates the required access token, client id, secret, and api version, but the call to user.save is returning an invalid_api_signature error.
    Using vBCloud 5.6.0

    Here's the code snippet to api.init:

    PHP Code:
    $requestparams = array(
    'api_m' => 'api.init',
    'clientname' => 'Client',
    'clientversion' => '1.0',
    'platformname' => 'Platform',
    'platformversion' => '1.0',
    'uniqueid' => 'XXXX'
    );

    // cURL
    $url 'https://myforum.com/api.php';
    $ch curl_init($url);
    curl_setopt($chCURLOPT_POST1);
    curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
    curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
    $curl_response curl_exec($ch);
    curl_close($ch);

    $curl_response_array json_decode($curl_response,true);

    // API
    $apiaccesstoken $curl_response_array['apiaccesstoken'];
    $apiclientid $curl_response_array['apiclientid'];
    $apisecret $curl_response_array['secret'];
    $apiversion $curl_response_array['apiversion']; 

    And the call to api.save:

    PHP Code:
    // User
    $user = array(
    'username' => "Test",
    'email' => "[email protected]",
    'usergroupid' => "14"
    );

    // Sort GET params by key
    ksort($user);

    // The HTTP GET params for an API method
    // (without api related params except api_m. see below)
    $requestparams = array(
    'api_m' => 'user.save',
    'userid' => '0',
    'password' => '123',
    'user' => $user,
    'options' => '',
    'adminoptions' => '',
    'userfield' => ''
    );

    // Sort GET params by key
    ksort($requestparams);

    // The correct signature is the md5 value of $data + accesstoken + clientid + secret + apikey
    // (all can be fetched from api_init except apikey
    // -- this is a value specific to the vB site you are trying to connect to and can be found in the admincp)
    $requestparams_string http_build_query($requestparams);
    $apisignature md5($requestparams_string.$apiaccesstoken.$apiclientid.$apisecret.$apikey);

    $requestparams['api_s'] = $apiaccesstoken;
    $requestparams['api_c'] = $apiclientid;
    $requestparams['api_sig'] = $apisignature;
    $requestparams['api_v'] = $apiversion;

    // cURL
    $url 'https://myforum.com/api.php';
    $ch curl_init($url);
    curl_setopt($chCURLOPT_POST1);
    curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
    curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
    $curl_response curl_exec($ch);
    curl_close($ch);

    $curl_response_array json_decode($curl_response,true); 

    Here's the generate query string for the api.save call (I've replaced the hash strings with XXX):
    HTML Code:
    adminoptions=&api_m=user.save&options=&password=123&user%5Bemail%5D=test%40test.com&user%5Busergroupid%5D=14&user%5Busername%5D=Test&userfield=&userid=0&api_s=XXX&api_c=1&api_sig=XXX&api_v=560
    I've tried sorting the $user sub-array, as well as adding the remaining parameters (notificationOptions, hvinput, extra) to the user.save method call but still getting the same error.
    Any thoughts?

    Thanks
    Last edited by elieseif; Wed 15th Apr '20, 2:59am.

  • #2
    Small update, I removed the api_s and api_c from the user.save method call and now I'm getting a "no_permission" error.
    The registration settings are still set to allow new registrations.

    Is there a more detailed documentation on the API and how to use it? The only reference I could find was this:
    http://vb5support.com/resources/mapi/

    Thanks

    Comment


    • #3
      So I tried logging in as admin before calling user.save and got both session and cpsession hashes, but I'm still unable to register a new user. Same "no_permission" error.

      Comment


      • #4
        Will have to see if I can get a developer to look at this.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API - Full / Mobile
        Vote for your favorite feature requests and the bugs you want to see fixed.

        Comment


        • #5
          What is the api_init string that you're sending?

          It should be formatted like this:
          http://www.yourforumcorebaseurl.com/api.php?api_m=api_init&api_c=clientid&api_s=accesstoken&api_sig=signature&api_v=3&b=va lue1&a=value2

          api_s is a required value. It is basically your password to the API.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API - Full / Mobile
          Vote for your favorite feature requests and the bugs you want to see fixed.

          Comment


          • #6
            Did you possibly mean the call to user.save?

            The call to api.init looks like this:
            HTML Code:
            https://myforum.com/api.php?api_m=api.init&clientname=Client&clientversion=1.0&platformname=Platform&platformversion=1.0&uniqueid=f55d6541
            This returns the client id, access token, secret and api version.

            Here's the next call to user.save (contains api_s, api_sig, and api_v):
            HTML Code:
            https://myforum.com/api.php?adminoptions=&api_m=user.save&options=&password=test123456&user%5Bemail%5D=test%40test.com&user%5Busergroupid%5D=2&user%5Busername%5D=Test+User&userfield=&userid=0&api_s=XXX&api_sig=XXX&api_v=560
            This call returns "no_permission".

            If I include api_c:
            HTML Code:
            https://myforum.com/api.php?adminoptions=&api_m=user.save&options=&password=test123456&user%5Bemail%5D=test%40test.com&user%5Busergroupid%5D=2&user%5Busername%5D=Test+User&userfield=&userid=0&api_s=XXX&api_c=1&api_sig=XXX&api_v=560
            I get an "invalid_api_signature" error.


            2 questions based on your reply:
            Should the call be made to http or https? I tried http but did not receive anything
            Is it api_init or api.init? Tried both, same results.

            Thanks
            Last edited by elieseif; Wed 15th Apr '20, 3:00am.

            Comment


            • #7
              No. I mean api_init. You need to send api_s to api_init in order to open the connection. api_s should be the 32 digit API Key listed in your AdminCP. Your signature will be invalid otherwise.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #8
                Thanks. I tried that but no change, same no_permission error.

                Here's the updated api_init method call:
                HTML Code:
                https://myforum.com/api.php?api_m=api_init&clientname=Client&clientversion=1.0&platformname=Platform&platformversion=1.0&uniqueid=f55d6541&api_s=API_KEY
                To clarify, I can login as admin using the returned values from api_init, so signature must be good, right?
                user.save still isn't going through.
                Last edited by elieseif; Wed 15th Apr '20, 3:01am.

                Comment


                • #9
                  Also, from the API documentation:
                  array $user Basic user information such as email or home page * username * email * usertitle * birthday * usergroupid (will get no_permissions exception without administrate user permissions) * membergroupids (will get no_permissions exception without administrate user permissions) * privacyconsent int -1|0|1 meaning Privacy-Consent Withdrawn|Unknown|Given respectively. * list not complete
                  What does "will get no_permissions exception without administrate user permissions" mean, and how do we set "administrate user permissions"?

                  Thanks

                  Comment


                  • #10
                    VB Support, any other thoughts?

                    Comment


                    • #11
                      Without actually looking into the API side of this, I noticed that the sample password you're using is "123". Check your password requirement settings in "User Registration Options". The default minimum length for passwords is 8 characters. Again, this is unrelated to the API error, but you also have to ensure you're sending valid data.
                      ~~~~~

                      Comment


                      • #12
                        After reviewing the server-side signature verification code, the main problem with the provided code seems to be with
                        Code:
                        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($requestparams));
                        On the server side, only GET params are used in the signature, so the request params that were used for the signature being in the POST fields is throwing the server off in validating the signature.

                        In the provided code, you should be able to pass the sig check by passing those GET params in as part of the URL, e.g. :
                        Code:
                        // cURL
                        $url = 'http://pluto.here/cora/api.php';
                        $url .= '?' . http_build_query($requestparams);
                        $ch = curl_init($url);
                        curl_setopt($ch, CURLOPT_POST, 1);
                        #curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($requestparams));
                        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                        $curl_response = curl_exec($ch);
                        curl_close($ch);
                        BUT DON'T ONLY DO THIS, above change is for illustrative purpose only, as it will reveal sensitive data in the URL (e.g. password). I.e. properly split $requestparams into $getparams & $postparams, use $getparams for the $signature & append to url, set $postparams in POSTFIELDS, etc.

                        Once the signature issue is resolved, you may hit API issues per David's comment above.

                        This was not an issue in this case, but just as a side-note, following params must be removed prior to generating the $requestparams_string if they are set (from class_core.php vB_Input_Cleaner::__construct() ):
                        Code:
                        $VB_API_PARAMS_TO_VERIFY = $_GET;
                        unset($VB_API_PARAMS_TO_VERIFY['']); // See VBM-835
                        
                        unset(
                        $VB_API_PARAMS_TO_VERIFY['api_c'],
                        $VB_API_PARAMS_TO_VERIFY['api_v'],
                        $VB_API_PARAMS_TO_VERIFY['api_s'],
                        $VB_API_PARAMS_TO_VERIFY['api_sig'],
                        $VB_API_PARAMS_TO_VERIFY['debug'],
                        $VB_API_PARAMS_TO_VERIFY['showall'],
                        $VB_API_PARAMS_TO_VERIFY['do'],
                        $VB_API_PARAMS_TO_VERIFY['r']
                        );
                        
                        ksort($VB_API_PARAMS_TO_VERIFY);
                        edit: just to clarify, the above params can be part of the GET payload. It just has to be removed from the signature feed (or set after the signature generation like you're already doing)

                        Comment


                        • #13
                          As for the first "no_permission" error coming out of the user API, if this is a new user it's probably the user.usergroupid parameter (not every user can change or set their usergroup).

                          What does "will get no_permissions exception without administrate user permissions" mean, and how do we set "administrate user permissions"
                          Regular users & guests are not allowed to change certain attributes of their user account (e.g. a guest cannot just create an admin account). To change the fields marked as requiring administrative permissions, you'll need to first call user.login using admin credentials, then call the user save again to create that user as an administrator.

                          Comment


                          • #14
                            In addition to the usergroupid issue, some other common user api errors you might hit are the password_too_short & privacyconsent_required (missing 'privacyconsent' parameter, depending on region & settings).

                            Comment


                            • #15
                              Hi there, i have same error "invalid_api_signature" in vbulletin v5.6.0 and i have followed the conversation attentively.

                              @Wayne Luke you write that the parameter api_s should be used for the init request. But the documentation (http://vb5support.com/resources/mapi...ml#method_init) says api_c. Which parameter is the correct one?

                              My vbuelltin allows new registrations, the password length is 8 characters and used PHP 7.3.

                              PHP-Code:

                              PHP Code:
                              $apikey='XXX';
                              //Step1 getAccessToken
                              $requestparams = array(
                              'api_m' => 'api.init',
                              'clientname' => 'Client',
                              'clientversion' => '1.0',
                              'platformname' => 'Platform',
                              'platformversion' => '1.0',
                              'uniqueid' => '123gf89b5pb',
                              'api_s' => $apikey //Doku: api_c
                              );
                              ksort($requestparams);
                              $url 'http://domain.txt/api.php';
                              $ch curl_init($url);
                              curl_setopt($chCURLOPT_POST1);
                              curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
                              curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
                              $curl_response curl_exec($ch);
                              curl_close($ch);
                              $curl_response_array json_decode($curl_response,true);
                              $apiaccesstoken $curl_response_array['apiaccesstoken'];
                              $apiclientid $curl_response_array['apiclientid'];
                              $apisecret $curl_response_array['secret'];
                              $apiversion $curl_response_array['apiversion'];

                              //Step2 createUser
                              $user = array(
                              'username' => "Test",
                              'email' => "[email protected]",
                              'usergroupid' => "1"
                              );
                              ksort($user);
                              $requestparams = array(
                              'api_m' => 'user.save',
                              'userid' => '0',
                              'password' => 'Test1234$',
                              'user' => $user,
                              'options' => '',
                              'adminoptions' => '',
                              'userfield' => ''
                              );
                              ksort($requestparams);
                              $requestparams_string http_build_query($requestparams);
                              $apisignature md5($requestparams_string.$apiaccesstoken.$apiclientid.$apisecret.$apikey);

                              $requestparamsget=array();
                              $requestparamsget['api_c'] = $apiclientid;
                              $requestparamsget['api_s'] = $apiaccesstoken;
                              $requestparamsget['api_sig'] = $apisignature;
                              $requestparamsget['api_v'] = $apiversion;

                              ksort($requestparamsget);
                              $url 'http://domain.txt/api.php';
                              $url .= '?' http_build_query($requestparamsget);
                              $ch curl_init($url);
                              curl_setopt($chCURLOPT_POST1);
                              curl_setopt($chCURLOPT_POSTFIELDShttp_build_query($requestparams));
                              curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
                              $curl_response curl_exec($ch);
                              curl_close($ch);
                              $curl_response_array json_decode($curl_response,true);
                              var_dump($curl_response_array); 
                              Response:
                              PHP Code:
                              array(1) { ["errors"]=> array(1) { [0]=> array(1) { [0]=> string(21"invalid_api_signature" } } } 

                              VB Support, any solutions? thx




















                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X