"Duplicate timestamp/nonce combination, possible replay attack. Request rejected."

[ThatNerdyPikachu]

Got Duplicate timestamp/nonce combination, possible replay attack. Request rejected. while trying to authorize in headers, which is the only thing that this API accepts.

function getOAuth(consumer_key, consumer_secret) {
	return OAuth({
		consumer: {
			key: consumer_key,
			secret: consumer_secret
		},
		signature_method: "HMAC-SHA1",
		hash_function: function(base_string, key) {
			return crypto.createHmac("sha1", key).update(base_string).digest("base64")
		}
	})
}

// ...

router.get("/api/me", function(req, res) {
	if (!req.query.key || !req.query.secret) {
		return res.status(400).end()
	}

	const oauth = getOAuth(req.query.key, req.query.secret)

	const request = {
		url: "<redacted>",
		method: "GET"
	}

	axios.get(request.url, {
		headers: oauth.toHeader(oauth.authorize(request))
	})
	.then(function(response) {
		res.send(response.data)
	})
	.catch(function(err) {
		res.send(err.response.data)
	})
})

[ddo]

or some clouds or serverless services Math.random could return the same fyi

[JonnyOThan]

For anyone coming across this issue, I was banging my head against it for a few hours until I finally used Fiddler to look at the requests and responses.

The server was responding with a 302 redirect, and my http library was helpfully following the redirect and sending the same headers - which of course included the duplicate nonce and timestamp.