sp-api-sdk icon indicating copy to clipboard operation
sp-api-sdk copied to clipboard

Published 20 hours ago verified publisher icon amazon-php

HttpSignatureHeaders issue when URL contains special symbols

Open Stevad opened this issue 2 years ago • 1 comments

Hello,

I found a new issue in HttpSignatureHeaders when trying to put a product with SKU that contains special chars.

The product SKU: 301Y3EA#ABH

While sending product data to Listing API I got the next error from Amazon:

{
  "errors": [
    {
      "message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'PUT
/listings/2021-08-01/items/SELLER-ID/301Y3EA%2523ABH
marketplaceIds=A1805IZSGTT6HS
host:sellingpartnerapi-eu.amazon.com
x-amz-security-token: ...

host;x-amz-security-token
1c18c85f178d03338b2e1b023a636403f4fb3d264fb7485e93dc58f7f9e608ac'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20220706T071719Z
20220706/eu-west-1/execute-api/aws4_request
925b2ab9c22be74202b3ed26f03617806c13cc4d9d918a02409799c9e2418101'
",
     "code": "InvalidSignature"
    }
  ]
}

While debugging I checked both values that were generated by \AmazonPHP\SellingPartner\HttpSignatureHeaders::forConfig method and here are they:

Canonical string:

PUT
/listings/2021-08-01/items/SELLER-ID/301Y3EA%23ABH
marketplaceIds=A1805IZSGTT6HS
host:sellingpartnerapi-eu.amazon.com
x-amz-security-token:...

host;x-amz-security-token
1c18c85f178d03338b2e1b023a636403f4fb3d264fb7485e93dc58f7f9e608ac

String-to-Sign:

AWS4-HMAC-SHA256
20220706T071719Z
20220706/eu-west-1/execute-api/aws4_request
fba5c165936272951bf64b552ee161457f3856a61c66d7389760d30a33c92d0a

The only difference is in the second line in the Canonical string:

  • Amazon expects: /listings/2021-08-01/items/SELLER-ID/301Y3EA%2523ABH
  • We send: /listings/2021-08-01/items/SELLER-ID/301Y3EA%23ABH

Looks like Amazon expects a value that should be URL-encoded once more time. To test, I made changes in code related to $canonicalString preparation. With this code I was able to send data to API without error:

        $canonicalString = $request->getMethod()
            //. "\n" . $request->getUri()->getPath()   <-- original line, below is changed line
            . "\n" . \str_replace('%2F', '/', \rawurlencode($request->getUri()->getPath()))
            . "\n" . \http_build_query($queryElements, '', '&', PHP_QUERY_RFC3986)
            . "\n" . $canonicalHeadersStr
            . "\n" . $signedHeadersStr
            . "\n" . $hashedPayload;

Yes, it may look weird at the moment, but it works. Can you check, please?

Similar problem found over the internet:

  • https://stackoverflow.com/questions/69004557/amazon-sp-api-incorrect-url-encoding-decoding-characters-while-updating-quanti

Stevad avatar Jul 06 '22 10:07 Stevad

thanks for reporting @Stevad I will look into this as soon as possible!

norberttech avatar Jul 06 '22 11:07 norberttech

This should resolve the problem: https://github.com/amazon-php/sp-api-sdk/pull/341

norberttech avatar Feb 13 '23 10:02 norberttech