Android Question (SOLVED) HTTP POST with parameters' MD5 hash in the HEADER

Discussion in 'Android Questions' started by peacemaker, Jan 27, 2018.

  1. peacemaker

    peacemaker Well-Known Member Licensed User

    Hi, All

    I cannot debug this positing :-(
    For an API for POST requests i must follow the rules:
    1) make MD5 hash of the parameters line (like "param1=1&param2=2") plus a secret word. This hash sub works correct for sure (GET requests without parameters are OK).
    2) but this hash is sent not by one more parameter, but by the request header "Signature".
    3) URLencoding i do only in the single point, before calculating the parameters' hash and making GET URL.


    Code:
    Private Sub Requests(GetReq As Boolean, NewJob As HttpJob, Params As Map, Files As List)
        
    If Starter.InternetConnected = False Then Return
        
    Dim j As HttpJob = NewJob
        
    If Params.IsInitialized Then
            
    If Params.Size > 0 Then
                
    For i = 0 To Params.Size - 1
                    Params.Put(Params.GetKeyAt(i), su.EncodeUrl(Params.GetValueAt(i), 
    "UTF8"))
                
    Next
            
    End If
        
    End If
        
    Dim U As String = Get_URL(j.JobName, GetReq, Params)    'URL-encoded parameters line with URL for GET requests only
        '------------
     
        
    If GetReq Then
            j.Download(U)
        
    Else
            j.PostMultipart(U, Params, Files)
        
    End If
        j.GetRequest.SetContentEncoding(
    "application/x-www-form-urlencoded")
        Add_Signature(j, Params)
        j.GetRequest.Timeout = 
    60000
        
    Wait For (j) JobDone(j As HttpJob)
        
    If j.Success Then
    ....
    End sub

    Sub Add_Signature (j As HttpJob, m As Map)
        
    Dim key As String = "secret_word"
        
    If m.IsInitialized = False Or m.Size = 0 Then
            
    Dim pars As String = ""
        
    Else
            
    Dim pars As String     'just URL-encoded parameters line without URL
                For i = 0 To m.Size - 1
                    pars = pars & 
    "&" & m.GetKeyAt(i) & "=" & m.GetValueAt(i)
                
    Next
            pars = pars.SubString(
    1)
            
    Log(pars)
        
    End If
        
    Dim hash As String = others.GetMD5hash(pars & key)
        j.GetRequest.SetHeader(
    "Signature", hash)
    End Sub

    Private Sub Get_URL(method As String, get As Boolean, m As MapAs String
        
    Dim URL1, URL2 As String
        
    If m.IsInitialized = False Or m.Size = 0 Then    'no parameters
            URL1 = URL & method
        
    else If get = False Then    'for POST
            URL1 = URL & method
        
    Else
            
    'for GET with parameters
            For i = 1 To m.Size - 1
                URL2 = URL2 & 
    "&" & m.GetKeyAt(i) & "=" & m.GetValueAt(i)
            
    Next
            URL1 = URL & method & 
    "?" & m.GetKeyAt(0) & "=" & m.GetValueAt(0)
            
    If URL2 <> "" Then
                URL1 = URL1 & URL2
            
    End If
        
    End If
        
    Return URL1
    End Sub
    Why the signature is always incorrect at the server side check ?
     
    Last edited: Jan 27, 2018
  2. peacemaker

    peacemaker Well-Known Member Licensed User

    GET request with a single parameter is OK with such signature in the HEADER
    https://10.0.2.2:8089/common_api/1.0/get_cars_info?locked_cars=false

    The trouble is with only POST request with parameters.
    The API is described so:

    Code:
    Request:

    POST https://ip:port/common_api/
    1.0/create_order HTTP/1.1
    Signature: <...>
    Content-
    Typeapplication/x-www-form-urlencoded
    Content-Length: 
    156

    phone=89123456789&source=SOURCE&source_time=20120501100000&source_lon=53.147836&source_lat=56.896817

    Reply:

    {
      
    "code":0,
      
    "descr":"OK",
      
    "data":{
        
    "order_id":12345
      
    }
    }
    But for such POST request with parameters I always get:
    Code:
    {data={}, descr=Wrong signature, code=4}
    HTTP sniffer shows my POST request as:
    Code:
    POST /common_api/1.0/create_order HTTP/1.1
    Content-Encoding: 
    application/x-www-form-urlencoded
    Signature: 78aeb39f7892a601ae9ee0c4c70349e1
    Content-
    Type: multipart/form-data; boundary=---------------------------1461124740692
    Host: 
    10.0.2.2:8089
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/
    3.5.0
    Content-Length: 
    599

    -----------------------------
    1461124740692
    Content-Disposition: 
    form-data; name="phone"

    11111111111
    -----------------------------
    1461124740692
    Content-Disposition: 
    form-data; name="source_time"

    20180128105118
    -----------------------------
    1461124740692
    Content-Disposition: 
    form-data; name="source"

    testsourcewithoutspaces
    -----------------------------
    1461124740692
    Content-Disposition: 
    form-data; name="source_lat"

    58.436788
    -----------------------------
    1461124740692
    Content-Disposition: 
    form-data; name="source_lon"

    35.343460
    -----------------------------
    1461124740692--
     
    Last edited: Jan 28, 2018
  3. peacemaker

    peacemaker Well-Known Member Licensed User

    SOLVED. PostString is needed instead of PostMultipart.
     
    Last edited: Jan 28, 2018
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice