How to construct OAuth authorization header for RESTlet?

Question

I've trouble creating OAuth authorization header. I'm keep getting INVALID_LOGIN_ATTEMPT and I'm unable to find what I'm doing wrong.

I've followed directions from here to create an authorization header.

My complete workflow:

• create hello world SuiteScript 2.0 restlet
• upload to my NetSuite account
• create integration record
• create a deployment
• create a role with permissions:
  • Access Token Management - Full
  • Log in using Access Tokens - Full
  • User Access Tokens - Full
  • Web Services - Full
• create a user and assign role from previous step
• create an integration and enable Token Based Authentication
• issue a new access token

RESTlet URL is copy/pasted from deployment details and account id is extracted from Setup / Integration / Web Services Preferences

This is my dummy client:

const https = require('https');
const crypto = require('crypto');

function generateNonce() {
   return crypto.randomBytes(16).toString("hex");
}

const NETSUITE_ACCOUNT_ID = 'tstdrv00000000';
const BASE_URL = `https://${NETSUITE_ACCOUNT_ID}.restlets.api.netsuite.com/app/site/hosting/restlet.nl`;
const HTTP_METHOD = 'GET';
const SCRIPT_ID = '546';
const SCRIPT_DEPLOYMENT_ID = '1';
const OAUTH_VERSION = '1.0';
const TOKEN_ID = "0";
const TOKEN_SECRET = "0";
const CONSUMER_KEY = "0";
const CONSUMER_SECRET = "0";
const OAUTH_NONCE = generateNonce();
const TIMESTAMP = Date.now();

function createSignature() {
    const key = `${CONSUMER_SECRET}&${TOKEN_SECRET}`;
    const data = `deploy=${SCRIPT_DEPLOYMENT_ID}&oauth_consumer_key=${CONSUMER_KEY}&oauth_nonce=${OAUTH_NONCE}&oauth_signature_method=HMAC-SHA256&oauth_timestamp=${TIMESTAMP}&oauth_token=${TOKEN_ID}&oauth_version=${OAUTH_VERSION}&script=${SCRIPT_ID}`;

    const payload = `${HTTP_METHOD}&${encodeURIComponent(BASE_URL)}&${encodeURIComponent(data)}`;

    const hmac = crypto.createHmac('sha256', key);
    const digest = hmac.update(payload).digest('hex');
    const signature = new Buffer(digest).toString('base64');
    return signature;
}

let OAuth = `OAuth oauth_signature="${createSignature()}", oauth_version="1.0", oauth_nonce="${OAUTH_NONCE}", oauth_signature_method="HMAC-SHA256", oauth_consumer_key="${CONSUMER_KEY}", oauth_token="${TOKEN_ID}", oauth_timestamp="${TIMESTAMP}", realm="${NETSUITE_ACCOUNT_ID}"`;

const request = new Promise((resolve, reject) => {
    const responsePayload = [];
    const request = https.get(
        `${BASE_URL}?script=${SCRIPT_ID}&deploy=${SCRIPT_DEPLOYMENT_ID}`,
        {
            headers: {
                "Content-Type": "application/json",
                "Authorization": OAuth
            },
        },
        (response) => {
            console.log("statusCode: ", response.statusCode);
            console.log("headers: ", response.headers);
            response.setEncoding('utf8');
            response.on('data', chunk => {
                responsePayload.push(chunk);
            });
            response.on('end', () => {
                try {
                    resolve(JSON.parse(responsePayload.join()));
                } catch (error) {
                    resolve(responsePayload);
                }
            });
        }
    );
    request.on('error', error => {
        reject(error);
    });
    request.end();
});

request
    .then((response => console.log("OK", response)))
    .catch(e => console.error("Error", e));

Answer 1

I used this package: https://www.npmjs.com/package/oauth-1.0a

var oauth = new OAuth({   
   "hash_function" : function(base_string, key) {
       return crypto.createHmac('sha1', key).update(base_string).digest('base64');
   },
   "consumer" : { "key" : CONSUMER_KEY, "secret" : CONSUMER_SECRET },
   "signature_method" : "HMAC-SHA1"
});

const oauthToken = { "key" : OAUTH_TOKEN, "secret" : OAUTH_TOKEN_SECRET },
    request = { "url" : url, "method' : method };

let headers = oauth.toHeader(oauth.authorize(request, oauthToken));
headers.Authorization += `,realm=${REALM}`;

Answer 2

INVALID_LOGIN_ATTEMPT

This error indicates a problem in an OAuth header. It can be returned when the nonce, consumer key, token, or signature in the OAuth header is invalid.

I believe your signature it's not correct. It should have the same url/parameters on your variable payload to generate the signature than on your xhr request:

const payload = '${HTTP_METHOD}&${BASE_URL}?script=${SCRIPT_ID}&deploy=${SCRIPT_DEPLOYMENT_ID}&${encodeURIComponent(data)}';

const request = new Promise((resolve, reject) => {
    const responsePayload = [];
    const request = https.get(
        '${BASE_URL}?script=${SCRIPT_ID}&deploy=${SCRIPT_DEPLOYMENT_ID}&${encodeURIComponent(data)}',
        {
            headers: {
                "Content-Type": "application/json",
                "Authorization": OAuth
            },
        },
...