OAuthRequestVerifier::requestIsSigned() failing in API rest call in 1.7.0

[MichaelHoughton]

Hey Dan

Found another interesting one. This worked fine in Version 1.6.x, but applyiing the same request in 1.7 is giving a "Not signed." error.

The problem seems to be related to the OAuthRequestVerifier::requestIsSigned() method - which appears to be returning false.

I have successfully connected to the API - the server token is active etc.

In 1.6, I would pass the following to the API:

OAuthRequester Object
(
[files:protected] => 
[request:protected] => 
[store:protected] => OAuthStorePDO Object
    (
        [conn:OAuthStorePDO:private] => PDO Object
            (
            )

        [lastaffectedrows:OAuthStorePDO:private] => 
        [max_timestamp_skew:protected] => 600
        [max_request_token_ttl:protected] => 3600
    )

[usr_id:protected] => 0
[signed:OAuthRequestSigner:private] => 
[realm:protected] => 
[param:protected] => Array
    (
        [service] => rest
        [method] => LayoutList
        [response] => json
    )

[uri_parts:protected] => Array
    (
        [scheme] => http
        [host] => 360ds2.localhost
        [path] => /xibo-cms/services.php
        [port] => 80
        [user] => 
        [pass] => 
        [query] => 
        [fragment] => 
    )

[uri:protected] => http://360ds2.localhost/xibo-cms/services.php
[headers:protected] => Array
    (
        [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        [Accept-Encoding] => gzip, deflate
        [Accept-Language] => en-US,en;q=0.5
        [Cache-Control] => max-age=0
        [Connection] => keep-alive
        [Cookie] => CAKEPHP=bjcb1oigc9pfuidf2jb5car5o4; PHPSESSID=0r21b2ghfgeq5m9rlfmhjf2m95; CakeCookie[lang]=en; CakeCookie[userId]=6; CakeCookie[role]=1; CakeCookie[system_type]=0; CakeCookie[datasets_name]=Hantera+data
        [Host] => 360ds2.localhost
        [Referer] => http://360ds2.localhost/admin
        [User-Agent] => Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
    )

[method:protected] => GET
[body:protected] => 
)

This would work fine in 1.6

In 1.7, I am passing the following:

OAuthRequester Object
(
[files:protected] => 
[request:protected] => 
[store:protected] => OAuthStorePDO Object
    (
        [conn:OAuthStorePDO:private] => PDO Object
            (
            )

        [lastaffectedrows:OAuthStorePDO:private] => 
        [max_timestamp_skew:protected] => 600
        [max_request_token_ttl:protected] => 3600
    )

[usr_id:protected] => 0
[signed:OAuthRequestSigner:private] => 
[realm:protected] => 
[param:protected] => Array
    (
        [service] => rest
        [method] => LayoutList
        [response] => json
    )

[uri_parts:protected] => Array
    (
        [scheme] => http
        [host] => 360ds2.localhost
        [path] => /xibo/services.php
        [port] => 80
        [user] => 
        [pass] => 
        [query] => 
        [fragment] => 
    )

[uri:protected] => http://360ds2.localhost/xibo/services.php
[headers:protected] => Array
    (
        [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        [Accept-Encoding] => gzip, deflate
        [Accept-Language] => en-US,en;q=0.5
        [Cache-Control] => max-age=0
        [Connection] => keep-alive
        [Cookie] => CAKEPHP=bjcb1oigc9pfuidf2jb5car5o4; PHPSESSID=0r21b2ghfgeq5m9rlfmhjf2m95; CakeCookie[lang]=en; CakeCookie[userId]=6; CakeCookie[role]=1; CakeCookie[system_type]=0; CakeCookie[datasets_name]=Hantera+data
        [Host] => 360ds2.localhost
        [Referer] => http://360ds2.localhost/admin
        [User-Agent] => Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
    )

[method:protected] => GET
[body:protected] => 
)

You will notice, it is almost the same, however this time, I am getting this not signed error.

Could there be something else missing. I should note, I am following the old API PHP code:

public function LayoutList() {
    // The request uri being called.
    $user_id = 1;
    $request_uri = SERVER_BASE . 'services.php';

    // Parameters, appended to the request depending on the request method.
    // Will become the POST body or the GET query string.
    $params = array(
               'service' => 'rest',
               'method' => 'LayoutList',
               'response' => RESPONSE
         );

    // Obtain a request object for the request we want to make
    $req = new OAuthRequester($request_uri, 'GET', $params);

    // Sign the request, perform a curl request and return the results, throws OAuthException exception on an error
    $result = $req->doRequest($user_id);

    return $this->processData($result);
}

I am not sure if the $user_id = 1; is related - it always worked in 1.6

When I change the $user_id = 2, I get the message:

No server tokens available for http://360ds2.localhost/xibo-cms/services.php

When it is set to $user_id = 1, get:

"Request failed with code 500: "

Unfortunutely, with no related message with it other than a 500.

[dasgarner]

Hmm, very odd indeed as the oAuth implementation specifics haven't changed between the two versions - apart from switching to the PDO data store (which might be the issue I suppose).

The userId only refers to the user in the client system - nothing to do with the server. So if you did change the userId you would have to go through the process of AddToServer, etc.

Do you happen to have a log of the request that hits the CMS web server?

[MichaelHoughton]

Hey Dan

I tried to debug the error. The "Request failed with code 500: " is coming from my own Auth Lib on my app side.

I originally used a PHP library which I believe was available at:
https://code.launchpad.net/xibo

It has the methods to connect to the API.

This worked well for 1.6, but I am not sure it is working for 1.7.

Perhaps you could verify if it is working for you (if you wrote that initial code)?

[dasgarner]

Hey,

I can certainly give it a look for you - probably tomorrow now as I have to pop out.

The original library uses "php-oauth" as a backend and some very basic test methods I put together that look like this: https://github.com/dasgarner/xibo-example-api. It sounds like something has changed, but I cannot imagine what it might be.

I'll check it out.

Cheers,
Dan

[MichaelHoughton]

Thanks Dan - no rush for it.

And that's the code! I turned it into a Component Class for CakePHP.

I did update the PHP-Oauth to the latest version, so if you find no issues, I will investigate further at my end.

Thanks again.

[MichaelHoughton]

PS - I actually have a few changes to this code which I could make, so if you wanted to add this on GitHub, I will be happy to fork it and improve on it where I can!

[dasgarner]

Sure, im happy for you to fork that (its under my account rather than
xibosignage as its only some example code - but I think you should still be
able to fork.

Cheers!
On 20 Jan 2015 17:23, "Michael Houghton" notifications@github.com wrote:

PS - I actually have a few changes to this code which I could make, so if
you wanted to add this on GitHub, I will be happy to fork it and improve on
it where I can!

—
Reply to this email directly or view it on GitHub
#24 (comment).

[dasgarner]

Hi Michael,

Well, I found a few issues with the old database class that we are phasing out - it was still around in the API and was causing some problems.

That being said I am not sure if that was the cause for your particular issue - as at this end I authenticated and started making API calls without too much trouble.

Perhaps you could try the latest and see?

[MichaelHoughton]

Hey Dan

Thanks for this. I downloaded your latest example code from here:
https://github.com/dasgarner/xibo-example-api

Entered in my server details etc, and dumped the DB.

Ran through everything, until I got to this step:
http://localhost/xibo-example-api/index.php?action=Request

Where I got this error:

Fatal error: Uncaught exception 'OAuthException2' with message 'Request failed with code 500: ' in /home/michael/public_html/xibo-example-api/oauth-php/library/OAuthRequester.php:117 Stack trace: #0 /home/michael/public_html/xibo-example-api/index.php(546): OAuthRequester->doRequest(1) #1 /home/michael/public_html/xibo-example-api/index.php(153): callService(Array, true) #2 /home/michael/public_html/xibo-example-api/index.php(41): MakeSignedRequest() #3 {main} thrown in /home/michael/public_html/xibo-example-api/oauth-php/library/OAuthRequester.php on line 117

I debugged the line, and it is the SAME error that the CakeAPP is working on.

To ensure that the problem was NOT related to anything in the example code, I then used the same code using version 1.6. Amazingly, I got the same result! I debugged further, and got the 500 error, which read:

Array ( [code] => 500 [headers] => Array ( [date] => Wed, 21 Jan 2015 14:06:03 GMT [server] => Apache/2.4.7 (Ubuntu) [x-powered-by] => PHP/5.5.9-1ubuntu4.5 [x-xrds-location] => http://360ds2.localhost/xibo/services.php/service.php?xrds [content-length] => 0 [connection] => close [content-type] => text/html ) [body] => )

You will see the "server" is set to:
http://360ds2.localhost/xibo/services.php/service.php?xrds

When it should be set as:
http://360ds2.localhost/xibo/services.php?xrds

This seems to be the cause of the issue.

When I ran a print_r($this); die;, I could see that the URL was set to:

[uri:protected] => http://360ds2.localhost/xibo/services.php

It seems to be adding an extra "/services.php" onto the end.

I do see in the file:
lib/service/serviceresponse.class.php

There is a note on line 74:
// TODO: Need to strip out the services.php part of serviceLocation - or work out a better way to do it.

I am not sure if this is related?

Could you confirm perhaps if your:
xibo-example-api/index.php?action=Request

Is working locally for you - this will help to debug this one!

[dasgarner]

Hi,

That did work for me, but only after applying the latest commit to the CMS code (dasgarner/xibo-cms@6a77931) - I think the 500 is because of the legacy database code generating an error.

The XRDS is also clearly wrong - i'll create another issue for that.

Thanks,
Dan

[MichaelHoughton]

Thanks Dan. Was the commit above pushed to the xibosignage version - as this is the version I have?

[dasgarner]

Ah, no - sorry it wasn't. I'll pull that in now.

[MichaelHoughton]

Hey Dan

Awesome, that has fixed the issue.

After running a REQUEST action, I get the following:

OAuthRequester Object ( [files:protected] => [request:protected] => [store:protected] => OAuthStorePDO Object ( [conn:OAuthStorePDO:private] => PDO Object ( ) [lastaffectedrows:OAuthStorePDO:private] => [max_timestamp_skew:protected] => 600 [max_request_token_ttl:protected] => 3600 ) [usr_id:protected] => 0 [signed:OAuthRequestSigner:private] => [realm:protected] => [param:protected] => Array ( [service] => rest [method] => Version [response] => json ) [uri_parts:protected] => Array ( [scheme] => http [host] => 360ds2.localhost [path] => /xibo-cms/services.php [port] => 80 [user] => [pass] => [query] => [fragment] => ) [uri:protected] => http://360ds2.localhost/xibo-cms/services.php [headers:protected] => Array ( [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [Accept-Encoding] => gzip, deflate [Accept-Language] => en-US,en;q=0.5 [Connection] => keep-alive [Cookie] => __utma=111872281.559460213.1407426960.1417085927.1420554975.6; __utmz=111872281.1407426960.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __ar_v4=PNBCPPK4TJDO5FAACLQHWH%3A20140806%3A3%7CJGFYKFRETBC6TKXSFBR44G%3A20140806%3A3%7CDY57SKZYKBFQHI6756ADDK%3A20140806%3A3; _ga=GA1.1.559460213.1407426960 [Host] => localhost [Referer] => http://localhost/xibo-example-api/index.php?action=Exchange&consumer_key=ddb54046faf2499e8a2a2f48f1a8c295054bd1332&usr_id=1&oauth_token=3038909404070c2ba88a802a4c18581e054bfdeca&oauth_verifier=807b9eed05 [User-Agent] => Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 ) [method:protected] => GET [body:protected] => ) 

And the API works after that.

Just wanted to double check the above wasn't an accidental die or something left on by mistake and is expected.

All seems to be solved anyhow!

[dasgarner]

I've left debugging output in the example application on, just so it is easier to see what's happening - i'm sure you would edit that out of your Cake version. Don't want all that outputting each time! :)

I'll close this issue then - I suspect you might find a few more here and there - really pleased that the move to Github has made this sort of collaboration easier!

[MichaelHoughton]

Hey Dan - I totally agree, and thanks for all your help getting these issues sorted so quickly!