Non Pro CoinBase API Invalid Signature-CodePudding

i've been trying to get some data from the non pro CB via their API.

I've been able to get data from coinbase pro, with the code below, adding the passphrase, but no dice with CB...

I keep getting invalid signature :(

Any idea what i could be missing?

const signedMessages = async (timestamp, meth, requestPath) => {
  const secret = process.env.cb_all_read_secret;
  const method = meth.toUpperCase();
  const body = '';

  const message = timestamp   method   requestPath   body;
  const key = Buffer.from(secret, 'base64');
  const hmac = crypto.createHmac('sha256', key);
  const cb_access_sign = hmac.update(message).digest('base64');
  return cb_access_sign;
};

const listAccounts = async () => {
  let timestamp = Math.floor(Date.now() / 1000);
  const signed = await signedMessages(timestamp, 'GET', '/v2/accounts');
const url = 'https://api.coinbase.com/v2/accounts';

  const options = {
    method: 'GET',
    headers: {
      'Content-Type': 'application/json',
      'CB-ACCESS-KEY': process.env.cb_all_read_key,
      'CB-ACCESS-SIGN': signed,
      'CB-ACCESS-TIMESTAMP': timestamp,
    },
  };
  console.log(options);

  try {
    const data = await fetch(url, options);
    const resultat = await data.json();
    console.log(resultat);
  } catch (error) {
    console.log('error: ', error.message);
  }
};

listAccounts();

CodePudding user response：

First thing I'd check is that your computer's clock is up to date i.e. not > 30 seconds behind the API server.

CodePudding user response：

coinbase documentation is frustrating at best. In one place I saw the method you're using being documented.

var what = timestamp   method   requestPath   body;

// decode the base64 secret
var key = Buffer(secret, 'base64');

// create a sha256 hmac with the secret
var hmac = crypto.createHmac('sha256', key);

// sign the require message with the hmac
// and finally base64 encode the result
return hmac.update(what).digest('base64');

When I went to find it again I found the following: documentation which does the signing a little differently:

var signature = crypto.createHmac("sha256", apiSecret).update(message).digest("hex");

Notice the lack of a base64 buffer and the digest is Hex.

I modified your code and was able to get the wallets with view permissions. I would probably create a sign function using the code in the link provided including the body for any options you need to include.

const signedMessages = async (timestamp, method, path) => {
    const apiSecret = '...';
    const bodyStr = '';
    let message = timestamp   method.toUpperCase()   '/v2/'   path   bodyStr;
    return crypto.createHmac('sha256', apiSecret).update(message).digest('hex');
};

const listAccounts = async () => {
    let timestamp = Math.floor(Date.now() / 1000);
    const signed = await signedMessages(timestamp, 'GET', 'accounts');
    const url = 'https://api.coinbase.com/v2/accounts/';

    const options = {
        method: 'GET',
        headers: {
            'Content-Type': 'application/json',
            'CB-ACCESS-KEY': '...',
            'CB-ACCESS-SIGN': signed,
            'CB-ACCESS-TIMESTAMP': timestamp,
        },
    };
    console.log(options);
    try {
        const data = await fetch(url, options);
        const resultat = await data.json();
        console.log(resultat);
    } catch (error) {
        console.log('error: ', error.message);
    }
};

listAccounts();

but guess what...

the "deprecated" node api does it the same way (that's where I found this signing method before I found the documentation) and it was last updated 4 years ago. Go figure.