Issues with validating API keys

[ZandercraftGames]

trafficstars

When I attempt to authenticate with my API using the API key and secret that I have set, it throws the following error no matter what url path I attempt to connect to.

<pre>MissingRequiredHeadersError: Missing required HTTP headers : authorization.<br> &nbsp; &nbsp;at Object.parseRequest (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\api-key-auth\lib\parser.js:31:13)<br> &nbsp; &nbsp;at middleware (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\api-key-auth\lib\index.js:42:32)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:317:13)<br> &nbsp; &nbsp;at C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at jsonParser (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\body-parser\lib\types\json.js:110:7)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:317:13)<br> &nbsp; &nbsp;at C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at urlencodedParser (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\body-parser\lib\types\urlencoded.js:91:7)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\ma394545\Desktop\GitHub\beaverworx-api\node_modules\express\lib\router\index.js:317:13)</pre>

[ZandercraftGames]

Note: Code is available at https://github.com/ZandercraftGames/beaverworx-api

[arkerone]

What's the request from the client to your API?

[ZandercraftGames]

I am new to API creation, so I apologise in advance for my lack of knowledge in the field. P.S. The API key and secret are going to be changed before being put into production.

[arkerone]

It's not the right way, look the documentation https://github.com/arkerone/api-key-auth/blob/master/signature.md

[ZandercraftGames]

I read it, but I dont fully understand it. Give me a moment, I will re-read it.

[ZandercraftGames]

Im not seeing much other than the fact it says I have to use an encrypted signature in either hmac-sha1, hmac-sha256, or hmac-sha512 in the following format:

Authorization: Signature keyId="API_KEY",algorithm="hmac-sha256",headers="(request-target) host date digest content-length",signature="Base64(HMAC-SHA256(signing string))"

[ZandercraftGames]

But how do I create a signature based on the instructions in "Signature creation", and how does it tie into the API key system of the following:

[sookoll]

I'm agree with @ZandercraftGames that documentation is lacking on how to create Authorization header. There is information what it should contain, but how to create one, is missing. @arkerone perhaps You can update documentation with some straightforward guide or example?

[ZandercraftGames]

@sookoll Yeah, I literally just gave up and haven't really touched this since my last comment here. I just accepted the fact that I wouldn't get any form of straight-forward help here (at the time of posting). 🤷‍♂

[arkerone]

@sookoll The documentation about the creation of the signature is here : https://github.com/arkerone/api-key-auth/blob/master/signature.md I describe the part of the authorization header.

@ZandercraftGames You don't use the library properly. You must create the authorization header like the link above and send the header in the "Headers" tab on Postman if you want to test it. In order you must :

• Create the signature string,
• Use the algorithm in the following list hmac-sha1, hmac-sha256 or hmac-sha512 to generate a digital signature of the signature string,
• Encode the result of the digital signature in base64.

I think if you are new in API creation this libary is a bit to hard for you. You have to be comfortable with HTTP protocol and the use of headers to use this library.

I will create a client side library to simplify the use of this library.

[ZandercraftGames]

@arkerone Thank you for your response. I will try it the way you have described. 😄

[arkerone]

@ZandercraftGames It's ok for you?

[ghost]

can you provide an example of constructing the header?

[marquitobb]

[PanagiotisCY]

The answer is here 👍 https://tools.ietf.org/html/draft-cavage-http-signatures-09#section-1.1

[mcnaveen]

Facing "MissingRequiredHeadersError: Missing required HTTP headers : authorization."

[DannnB]

This might help give a guide with the Signature process in postman: I'm only just trying to use this package right now so don't take my code for production.

The comments in the image should explain the process that https://github.com/arkerone/api-key-auth/blob/master/signature.md explains

@arkerone did you get anywhere with the "client-side library"? Is the code above the best practice for using api-key-auth? This would then be moved over to something like Axios. How would you hide the secret on the client app?

Thanks for any help you can give! I'm new to doing this type of auth for express

Postman "Pre-request script"

const apiKey = "847210567175011568915"
const apiSecretKey = "awdoi82th2t9h02t4h0gw0jigq"

const request_settings = {
    method: pm.request.method.toLowerCase(),
    uri: `/${pm.request.url.path.reduce((prevVal, currVal, idx) => idx == 0 ? currVal : prevVal + '/' + currVal, '')}`
}
const signatureRawData = `(request-target): ${request_settings.method} ${request_settings.uri}`
const signature = CryptoJS.enc.Utf8.parse(signatureRawData);

// Create the signature string
const secretByteArray = apiSecretKey;
// Use the algorithm in the following list hmac-sha1, hmac-sha256 or hmac-sha512 to generate a digital signature of the signature string
const signatureBytes = CryptoJS.HmacSHA256(signature,apiSecretKey);
// Encode the result of the digital signature in base64.
const requestSignatureBase64String = CryptoJS.enc.Base64.stringify(signatureBytes);

// create the value for the  "Authorization" header
const signatureValue = `Signature keyId="${apiKey}",algorithm="hmac-sha256",headers="(request-target)",signature="${requestSignatureBase64String}"`

// set it in a environment variable 
pm.environment.set("signature", signatureValue);

// This will show your created "Authorization" header value i nthe postman console
console.log(signatureValue)

[arkerone]

@DannnB your code looks good ! Unfortunately, I don't have anytime to create a lib for the client side. Don't use it for a "browser" authentication, this auth method must be used only to authenticated a service (server to server). To hide the secret you have severals solutions, you can save the secret on the environment variable or use a service like hashicorp vault or aws secrets manager