Can't Authorize via POST method

84 views
Skip to first unread message

oblivious87

unread,
Jun 10, 2011, 4:12:01 PM6/10/11
to Springpad Developers
I'm able to get all the API calls which require the HTTP method GET
working. Now i'm having problems with the commands which require the
POST method.

I'm writing my code in PHP. I'm using OAuth 1.0 to authenticate and
cURL to make my server requests.

Here is my request function:

function FetchUrl($url,$param=null,$body=null) {
$ch = curl_init($url);

if ($body) {
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$param."&body=".$body);
}

curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}

$url = "http://springpadit.com/api/users/me/commands"

$params =
"oauth_consumer_key=267c9ecca0cd45a48e9afcfccb8a7432&oauth_nonce=2d95574204f3f3fb9148ef6abcf5d009&oauth_signature=qKosXzk7zyfyR70oOQV4JrbJBgY
%3D&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1307734851&oauth_token=3fd9ae4ed7539bec1e0a26cc61883c5c&oauth_version=1.0"

$body = ["create","Workbook","\/
UUID(4234df27-430d-0c4d-2734-0db4f4df2734)\/"]


$body is a php array that I encoded using json_encode().

When I do this, my $res comes back with an error as the following:

{ "status":"error", "message":"Error authenticating user" }

What am I doing wrong?

oblivious87

unread,
Jun 13, 2011, 7:12:31 PM6/13/11
to Springpad Developers
After looking at the Python code, it doesn't even look like you're
sending any of the OAuth info through the POST body. Is this
correct? When I just try to send a JSON array (see below) to the
server, I get the following error:

["create","Workbook","/UUID(4234df69-e53c-984d-698e-3c5da4df698e)/"]

{ "status":"error", "message":"Error running commands" }

oblivious87

unread,
Jun 13, 2011, 7:31:18 PM6/13/11
to Springpad Developers
I take that back, it looks as though you're authorizing by posting the
OAuth parameters in the URL.

I've edited my function to be the following:

function FetchUrl($url,$command=null) {
$ch = curl_init($url);

if ($command) {
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$command);
}

curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}

But for whatever reason it still won't authenticate me and I'm
getting:
{ "status":"error", "message":"Error authenticating user" }

Pete Aykroyd

unread,
Jun 13, 2011, 8:18:06 PM6/13/11
to Springpad Developers
Right. The library "signs" the request with the URL. It wouldn't make
sense for it to use the POST body since strictly speaking only POSTs
are allowed to have a body. Sorry, I've not gotten to this yet. It's a
pretty busy time. I will try to take a look at it later tonight or
tomorrow morning.

I think probably a more straight-forward HOWTO for our OAUTH is in
order.

Thanks for your patience.

Pete

oblivious87

unread,
Jun 13, 2011, 9:20:30 PM6/13/11
to Springpad Developers
Pete,

I guess I'm confused because I can authorize and get info when I'm
using the API parts that don't require me to use the POST method, but
it won't As soon as I add data to the body.

Pete Aykroyd

unread,
Jun 14, 2011, 5:20:18 PM6/14/11
to Springpad Developers
Ok, so looking at the command you are posting, I think one problem is
that you are just passing an array. Each command is an array, so you
need to post and array of arrays.

So try this:

[["create","Workbook","/UUID(4234df69-e53c-984d-698e-3c5da4df698e)/"]]

And just to verify '42' is the user's shard right?

If you use that with the python client it should post fine. If that
works and still fails with the PHP code it seems like the request is
not being signed properly.

Pete

oblivious87

unread,
Jun 14, 2011, 6:49:47 PM6/14/11
to Springpad Developers
Pete,

Still getting the error after fixing it so its an array of arrays:
{ "status":"error", "message":"Error authenticating user" }

The '42' is my shard number.

Here is the first URL being passed which is failing to authenticate:
http://springpadit.com/api/users/me/commands?oauth_consumer_key=267c9ecca0cd45a48e9afcfccb8a7432&oauth_nonce=5829a693088e8f81ef395166a07c4999&oauth_signature=OKJgk7h8cGvZBX4%2ByZ12n6RogVA%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1308091544&oauth_token=5ae75f5695169993879c706408293ef2&oauth_version=1.0

On the other hand, the following URL has no problem authenticating:
http://springpadit.com/api/users/me/blocks?oauth_consumer_key=267c9ecca0cd45a48e9afcfccb8a7432&oauth_nonce=39b0ae490d81ae997359bdb9e09d166a&oauth_signature=SGzn6U3XAzH3T8PpCo9sH4uSo30%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1308091545&oauth_token=5ae75f5695169993879c706408293ef2&oauth_version=1.0

I'm able to authenticate on everything except for the url to send
commands to the Springpad server.

If you want to try it out yourself, the script is running here:
http://xrefpro.com/CRM/index.php

Sergiy Salyuk

unread,
Jun 15, 2011, 9:14:54 AM6/15/11
to Springpad Developers
Hmm, looks like I have tis problem too.
One part of my synchronization code that is responsible for uploading
local changes now fails with 403 error.
User shard is correct. The JSON body is the same:
{
"status":"error",
"message":"Error authenticating user"
}

What is interesting is that I am able to execute the same command
batch using x-Spring-Api-Token, X-Spring-Password instead of OAuth.
Any ideas ?

Pete Aykroyd

unread,
Jun 15, 2011, 9:56:24 AM6/15/11
to Springpad Developers
I'll take a look at it today and try to reproduce the problem. Are you
also getting the 403 in the python client? Our iPhone app uses that
API with OAUTH to send changes to the server made on the phone, so I
think the method should be alright.

But just as a sanity check, I will try it out and let you guys know.

Pete
Message has been deleted

Sergiy Salyuk

unread,
Jun 16, 2011, 7:20:36 AM6/16/11
to Springpad Developers
Well, I found the problem in my code: I signed request with before
setting correct HTTP method (so it was signed as GET method but then
was changed POST). ;-)

Pete Aykroyd

unread,
Jun 16, 2011, 9:10:36 AM6/16/11
to spring...@googlegroups.com
Oddly, my message from yesterday doesn't seem to have posted. Maybe I accidentally sent it to just Sergiy. 

Sergiy - glad that you found your bug. I guess 403 does make sense in that it was signed as a different type of method from the one that was sent. 

Oblivious87, I verified yesterday that POSTing commands through Oauth works fine. I re-wrote the python client on github to be simpler so it can hopefully be a better guide. https://github.com/springpad/springpad If you want to use that as a sanity check.

I probably won't be of much use looking at your php code since I've never used php, but are you signing the request with the POST method set and with the post_data on the message? If you're GET requests work fine but not your POSTs then there has to be something being done differently when you POST, since basic OAuth signing is working for you.

Cheers, 

Pete

oblivious87

unread,
Jun 16, 2011, 12:47:33 PM6/16/11
to Springpad Developers
Sergiy,

Can you show me the code you're using?

On Jun 15, 9:14 am, Sergiy Salyuk <ssa...@gmail.com> wrote:

Sergiy Salyuk

unread,
Jun 16, 2011, 1:17:23 PM6/16/11
to Springpad Developers
Actually, it is in Objective-C, Google Data Library used for OAuth.
As I said my problem was in incorrect HTTP method used during OAuth
request signing.

Basic steps (after OAuth login is successful):
- OAuth object holds all auth related information (key, secret, token,
etc.)
- HTTP request object is constructed, correct method is set (POST for
command batches)
- OAuth object is called to sign the constructed request
- HTTP request is sent

My problem was that method (POST) was set right AFTER the request
object was signed.

Regards,
Sergiy

Pete Aykroyd

unread,
Jun 16, 2011, 1:39:05 PM6/16/11
to spring...@googlegroups.com
One other thing that I put in the lost post and forgot to mention again here was that I found that X-Spring-Client and Content-Type headers were required for the POST but not the GETs. This caused a 500 error though, not a 403. But it's worth making sure that you have those set.

oblivious87

unread,
Jun 16, 2011, 5:24:49 PM6/16/11
to Springpad Developers
This is extremely frustrating because that is exactly what I've been
doing all along. In order to call to the API I created a method for
the OAuth Object and a standalone function and call them in sequential
order:

function CreateRequestUrl($url,$params=null,$method="GET") {
if ($params=="GET" || $params=="POST") {
$method = $params;
$params = null;
}

$request = OAuthRequest::from_consumer_and_token($this->consumer,
$this->access_token,$method,$url,$params);
$request->sign_request($this->sig_method,$this->consumer,$this-
>access_token);
return $request->to_url();
}

The above creates a new request every time using the method specified
and uses the CONSUMER and ACCESS_TOKEN which is stored in my OAuth
Object. This will output the URL with all the OAuth info in it. So
for the commands I do the following line:

$url = $sp->CreateRequestUrl("http://springpadit.com/api/users/me/
commands","POST");

I then follow this up by making the call to the server using the next
function:

function FetchUrl($url,$command=null) {
$ch = curl_init($url);

if ($command) {
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$command);
}

curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}

So call looks like this:

$command = stripslashes(json_encode(array(array('create','Workbook',
$uuid))));
$res = FetchUrl($url,$command);

I generate the UUID by taking the shard + "3" + correctly formatted
random UUID generated based on timestamp.

It doesn't make any sense why I can't authorize as soon as I add the
commands to the body. I've looked to see if its a bug with cURL but
people can post JSON commands to the body with zero problems with very
similar code. Maybe someone who uses PHP can brainstorm with me
because this is the only thing I'm missing for a fully working PHP
API.

Also, Pete, your Python code is no longer available on the repository.

oblivious87

unread,
Jun 16, 2011, 5:27:18 PM6/16/11
to Springpad Developers
Also, it seems like I'm getting more of a 401 error, not 403. I did
try adding the headers the other day but it didn't do anything
different.

Pete Aykroyd

unread,
Jun 16, 2011, 6:10:37 PM6/16/11
to spring...@googlegroups.com
I'll look through your code example in greater detail when I have some time. The code should still be available though the file structure is different.

The Client (formerly SpringpadRpc) is here https://github.com/springpad/springpad/blob/master/python/spring/__init__.py
And the CLI (formerly in the same class) is here https://github.com/springpad/springpad/blob/master/python/cli.py

Pete

Joshua

unread,
Jun 28, 2011, 1:13:52 AM6/28/11
to Springpad Developers
I'm getting an 403 error when trying to access /users/me/blocks. I
have the oauth access token and believe I'm signing my request
properly. I noticed that your GET request has the oauth parameters as
query parameters and not HTTP Headers.

What is they correct way to send oauth parameters? I'm using scribe
for java and it sets them as HTTP Header variables.

Thanks,
Josh

On Jun 14, 5:49 pm, oblivious87 <jst...@gmail.com> wrote:
> Pete,
>
> Still getting the error after fixing it so its an array of arrays:
> { "status":"error", "message":"Error authenticating user" }
>
> The '42' is my shard number.
>
> Here is the first URL being passed which is failing to authenticate:http://springpadit.com/api/users/me/commands?oauth_consumer_key=267c9...
>
> On the other hand, the following URL has no problem authenticating:http://springpadit.com/api/users/me/blocks?oauth_consumer_key=267c9ec...
Reply all
Reply to author
Forward
0 new messages