Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Postman Download Hash
5 views
Skip to first unread message
Angelica Raynolds
Jan 2, 2024, 3:59:21 AM1/2/24
to
Hey, how do I generate a hash for a signature in the prescript with the following inputs? The end result needs to spit out: signature = BASE64 ( HASH ( http_method + url_path + salt + timestamp + access_key + secret_key + body_string ) )
Hi Tracy,
Can you please provide some context like which api endpoint you are trying to use ?
Assuming it is a sending_request (by the file parameter) , as the error states you should be using a Hash, or simply the file parameter requires two values name and source, which must be given as key value pairs (think JSON), which you might have misunderstood as the hashed value. Here is an example of sending request with parameters provided through body using postman.
postman download hash
Download Zip https://t.co/wOlZKsxkOM
Recently, I created a REST endpoint (webhook) to be hit by a 3rd party. To secure it, I took this basic approach, such that the client would hash the payload (using a supplied secret key) and then put that hashed value in an HTTP header. Upon receiving the request, my endpoint would then do the same, and evaluate whether the hash value passed in the header was equal to the hash value generated on the server.
This all worked great, but testing was a bit of a pain. At first, I was generating the hashed value programmatically and then copy-pasting into Postman. Ugh. Then I figured out that with a few minutes of effort I could do this using pre-request scripts and CryptoJS (which seems to be imported by default by Postman).
i am testing an api in postman that works fine. i am exporting it using the functionality in postman. the export language is curl. i am pasting it in the bubble api connector but it does not work. is there a process to easily transfer apis from postman to bubble?
Yes, the signature comes from postman. i try it in another tool and it works. but if i try it in bubble it does not work. below you can see the raw text, the api connector and the other tool so you can compare. i literealy copy and paste the same. i do not know what else to change to make it work!
The problem is not the authorization key since i copy it directly from postman and it works in req bin. For some reason the exact same code does not work in bubble.
I have figured out already how to generate the authorization key but i first need to make the call work
Hi Jaime i am struggling with the exact same issue on Bubble, the call in postman works and gives me a working signature that doesnt work on Bubble. I am copying the exact same body on postman and on Bubble.
I have resolved the error on my end. A few pointers. It is expected that the last key-value pair in your request is the hash. Everything above it is used in generating the hash. In your case the steps would look like this
Now that you have an access token, you can begin making API requests and creating signatures. This section will lead you through the five available requests in the Postman CSC collection, resulting in the creation of a digital signature from a document hash.
If i create a valid user and i choose a password, there is no way to login with this password (using my custom resource) because my function that take text plain from postman as THE password and hash it with MY RESOURCE will not returns the same hashed password as the real drupal hashed password for the password i've created before
In the following example of HMAC Implementation, the message string is the concatenation of the path of the URL, the message body, and the timestamp. The secret for hashing is stored as an environment variable and is retrieved by using environment.get("secret").
The poor postman had to be collected from his delivery route as he was unable to move his cart and when he got back to the office he was filmed sitting in a chair saying, 'I'm not right.'
Solution
Communication with the API is secured via signed requests. The signature is formed as a hash over the request body and a randomly generated nonce using a shared secret. The X-Makaira-Nonce and X-Makaira-Hash headers must be transmitted with the request.
Here CryptoJS library is used to create a SHA256 hash. All available libraries in Postman are described in Postman Sandbox page. Global variable token is then sent as token request parameter.
In order to create a password reset system, we will need to establish two separate models: a user model and a token model. The user model will contain information about each individual user, such as their email address, username, and hashed password. This model will be used to verify the identity of the user requesting a password reset and to update their password once a reset has been requested.
The user model will define how user data is saved in the database. It is important to ensure that passwords are stored securely, as storing them in plaintext is a security risk. To avoid this, we can use a secure one-way hashing algorithm such as bcrypt, which includes a salt to increase the strength of the hashing further.
In the code below, we use bcrypt to hash the passwords to protect them and make it almost impossible to reverse the hashing process even if the database is compromised. Even as administrators, we should not know the plaintext passwords of our users, and using a secure hashing algorithm helps to ensure this as well:
The password is hashed using the pre-save MongoDB Hook before saving it, as shown in the code below. A salt of 10 is used, as specified in the .env file, to increase the strength of the hashing and reduce the likelihood of passwords being guessed by malicious actors:
35fe9a5643
Hi Tracy,
Can you please provide some context like which api endpoint you are trying to use ?
Assuming it is a sending_request (by the file parameter) , as the error states you should be using a Hash, or simply the file parameter requires two values name and source, which must be given as key value pairs (think JSON), which you might have misunderstood as the hashed value. Here is an example of sending request with parameters provided through body using postman.
postman download hash
Download Zip https://t.co/wOlZKsxkOM
Recently, I created a REST endpoint (webhook) to be hit by a 3rd party. To secure it, I took this basic approach, such that the client would hash the payload (using a supplied secret key) and then put that hashed value in an HTTP header. Upon receiving the request, my endpoint would then do the same, and evaluate whether the hash value passed in the header was equal to the hash value generated on the server.
This all worked great, but testing was a bit of a pain. At first, I was generating the hashed value programmatically and then copy-pasting into Postman. Ugh. Then I figured out that with a few minutes of effort I could do this using pre-request scripts and CryptoJS (which seems to be imported by default by Postman).
i am testing an api in postman that works fine. i am exporting it using the functionality in postman. the export language is curl. i am pasting it in the bubble api connector but it does not work. is there a process to easily transfer apis from postman to bubble?
Yes, the signature comes from postman. i try it in another tool and it works. but if i try it in bubble it does not work. below you can see the raw text, the api connector and the other tool so you can compare. i literealy copy and paste the same. i do not know what else to change to make it work!
The problem is not the authorization key since i copy it directly from postman and it works in req bin. For some reason the exact same code does not work in bubble.
I have figured out already how to generate the authorization key but i first need to make the call work
Hi Jaime i am struggling with the exact same issue on Bubble, the call in postman works and gives me a working signature that doesnt work on Bubble. I am copying the exact same body on postman and on Bubble.
I have resolved the error on my end. A few pointers. It is expected that the last key-value pair in your request is the hash. Everything above it is used in generating the hash. In your case the steps would look like this
Now that you have an access token, you can begin making API requests and creating signatures. This section will lead you through the five available requests in the Postman CSC collection, resulting in the creation of a digital signature from a document hash.
If i create a valid user and i choose a password, there is no way to login with this password (using my custom resource) because my function that take text plain from postman as THE password and hash it with MY RESOURCE will not returns the same hashed password as the real drupal hashed password for the password i've created before
In the following example of HMAC Implementation, the message string is the concatenation of the path of the URL, the message body, and the timestamp. The secret for hashing is stored as an environment variable and is retrieved by using environment.get("secret").
The poor postman had to be collected from his delivery route as he was unable to move his cart and when he got back to the office he was filmed sitting in a chair saying, 'I'm not right.'
Solution
Communication with the API is secured via signed requests. The signature is formed as a hash over the request body and a randomly generated nonce using a shared secret. The X-Makaira-Nonce and X-Makaira-Hash headers must be transmitted with the request.
Here CryptoJS library is used to create a SHA256 hash. All available libraries in Postman are described in Postman Sandbox page. Global variable token is then sent as token request parameter.
In order to create a password reset system, we will need to establish two separate models: a user model and a token model. The user model will contain information about each individual user, such as their email address, username, and hashed password. This model will be used to verify the identity of the user requesting a password reset and to update their password once a reset has been requested.
The user model will define how user data is saved in the database. It is important to ensure that passwords are stored securely, as storing them in plaintext is a security risk. To avoid this, we can use a secure one-way hashing algorithm such as bcrypt, which includes a salt to increase the strength of the hashing further.
In the code below, we use bcrypt to hash the passwords to protect them and make it almost impossible to reverse the hashing process even if the database is compromised. Even as administrators, we should not know the plaintext passwords of our users, and using a secure hashing algorithm helps to ensure this as well:
The password is hashed using the pre-save MongoDB Hook before saving it, as shown in the code below. A salt of 10 is used, as specified in the .env file, to increase the strength of the hashing and reduce the likelihood of passwords being guessed by malicious actors:
35fe9a5643
0 new messages