Fitbit OAuth API request, invalid signature

Question

I am trying to make an API request to fitbit, using the oauth debugger from fitbit (https://dev.fitbit.com/apps/oauthtutorialpage) i am trying to figure out what i am doing wrong. I have added comments to my code below to help you understand what i am trying to achieve. What i am quite sure of is that i am either signing my request wrong, or using the wrong data to sign it. This is echoed by the API response.

I know there are more fitbit api questions here on stackoverflow, however did not find my answer there.

Is there anyone with more experience in Oauth signatures that knows what i could be doing wrong? Or could help me find a different approach to this?

var request = require('request');
var crypto = require('crypto');

var params = {
    'oauth_consumer_key' : 'key12345',
    'oauth_nonce' : Math.random().toString(36).substring(3), //random string
    'oauth_signature_method' : 'HMAC-SHA1',
    'oauth_timestamp' : Date.now().toString().substring(0,10), //timestamp with the same length as in the tutorial
    'oauth_version' : '1.0'
}
var oauth_consumer_secret = 'secret123';
var post_string = 'POST&https://api.fitbit.com/oauth/request_token';

for(var key in params){
    post_string += '&' + key + '=' + params[key];
}

/*At this point we have made a post string that we have to hash with hmac-sha1
the post string looks like this:
POST&https://api.fitbit.com/oauth/request_token&oauth_consumer_key=key12345&oauth_nonce=az6r8cqlzyqfr&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1439147378&oauth_version=1.0

The post_string from the tutorial looks like this:
POST&%2Foauth%2Frequest_token&oauth_consumer_key%3D%26oauth_nonce%3D%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1439145944%26oauth_version%3D1.0

*/

var hmac = crypto.createHmac('sha1', oauth_consumer_secret + "&");
// The tutorial page shows me the signature was 'signed with secret&'. I have tried with and without the & at the end, but without luck.
hmac.setEncoding('base64'); //i'm not sure if this is correct
hmac.write(post_string);
hmac.end();
var hash = hmac.read();

//and finally adding the hash to the parameters.
params.oauth_signature = hash; 

//now, making the request with an authorization header.
var header='';
for (var key in params){
    if(header.length === 0){
        header = ' OAuth ' + key + '="' + params[key] + '"';
    }
    else{
        header += ', ' + key + '="' + params[key] + '"';
    }
}

/*
At this point the header parameter looks like this

OAuth oauth_consumer_key="key12345", oauth_nonce="jnr97ppvjs2lnmi", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1439148049", oauth_version="1.0", oauth_signature="random_signature"   

The tutorial tells me to use the headers:
OAuth oauth_consumer_key="key12345", oauth_nonce="jnr97ppvjs2lnmi", oauth_signature="different_signature", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1439145944", oauth_version="1.0"
*/

var headers ={
    'Authorization' : header
}

var url="https://api.fitbit.com/oauth/request_token";
var requestTimeout = 5000;
var opts = {
    url: url,
    timeout: requestTimeout,
    headers : headers
}

request(opts, function (err, res, body) {
    if (err) {
        console.dir(err);
        return;
    }
    var statusCode = res.statusCode;
    if(res.statusCode === 200){
         console.log(body);
    }
    else{
        console.log("http-error-code: " + res.statusCode);
        console.log(body);
    }
})
/*
The response: 
http-error-code: 401
{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: 9fXI85C7GvZqMyW1AK1EkOSWZCY="}],"success":false}
*/

Fitbit OAuth API request, invalid signature

Answers (1)

Related Questions