Home > Software design >  Oauth with HMAC-SHA256 in Netsuite using PHP cURL GET
Oauth with HMAC-SHA256 in Netsuite using PHP cURL GET

Time:09-29

I am at my wits end... I have a working node.js implementation of this and trying to do the same in PHP I have run into a wall. I checked with hardcoded nonce and timestamp values and get the exact same signature in node.js and PHP but still the return value from Netsuite with PHP is always "{"error" : {"code" : "INVALID_LOGIN_ATTEMPT", "message" : "Invalid login attempt."}}" while the javascript version, with the exact same signature and headers returns valid data.

The Authorization header looks exactly the same in node.js and PHP, yet in PHP it always returns INVALID_LOGIN_ATTEMPT...

The code below is stitched together from several examples found here and there.

    $httpMethod ="GET"; 
    $projectid = "xxx";
    $taskid = "xxx";
    $script = "xxx";
    $accountID = 'xxxxx-sb1';
    $realm = "xxxxx_SB1";
    $url = 'https://'.$accountID.'.restlets.api.netsuite.com/app/site/hosting/restlet.nl';
    $url_params = "?script=$script&deploy=1&taskid=$taskid&projectid=$projectid";
    $ckey = "xxxxx"; //Consumer Key
    $csecret = "xxxxx"; //Consumer Secret
    $tkey = "xxxxx"; //Token ID
    $tsecret = "xxxxx"; //Token Secret
    $timestamp= time();
    $nonce= uniqid(mt_rand(1, 1000));
    $baseString = $httpMethod . '&' . rawurlencode($url) . "&"
        . rawurlencode("oauth_consumer_key=" . rawurlencode($ckey)
            . "&oauth_nonce=" . rawurlencode($nonce)
            . "&oauth_signature_method=HMAC-SHA256"
            . "&oauth_timestamp=" . rawurlencode($timestamp)
            . "&oauth_token=" . rawurlencode($tkey)
            . "&oauth_version=1.0"
            . "&projectid=" . rawurlencode($projectid) 
            . "&script=" . rawurlencode($script) 
            . "&taskid=" . rawurlencode($taskid) 
        );
        $key = rawurlencode($csecret) . '&' . rawurlencode($tsecret);

        $signature = rawurlencode(base64_encode(hash_hmac('sha256', $baseString, $key, true)));
        echo "signature: $signature\n\n";
        $header = array(
            "Content-Type: application/json",
            "Authorization: OAuth realm=\"$realm\", oauth_consumer_key=\"$ckey\", oauth_token=\"$tkey\", oauth_nonce=\"$nonce\", oauth_timestamp=\"$timestamp\", oauth_signature_method=\"HMAC-SHA256\", oauth_version=\"1.0\", oauth_signature=\"$signature\"",
        );

        $curl = curl_init();

        curl_setopt_array($curl, array(
            CURLOPT_URL => $url . $url_params,
            CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0',
            CURLOPT_SSL_VERIFYPEER => 0,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => "",
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => $httpMethod,
            CURLOPT_HTTPHEADER => $header,
        ));

        $response = curl_exec($curl);

        curl_close($curl);

        var_dump($response);

    }```

CodePudding user response:

pretty sure your realm should be:

$realm = "xxxxx_SB1"; // underbar not dash

CodePudding user response:

Thanks to @bknights I finally managed to find the right solution for this. I was also missing the deploy=1 -parameter AND the realm needs have an underscore instead of hyphen.

I literally spent two days on this...

    $projectid = "xxx";
    $taskid = "xxx";
    $script = "xxx";
    $accountID = 'xxx-sb1';
    $realm = "xxx_SB1";//NOTICE THE UNDERSCORE
    $url = 'https://'.$accountID.'.restlets.api.netsuite.com/app/site/hosting/restlet.nl';
    $url_params = "?script=$script&deploy=1&taskid=$taskid&projectid=$projectid";
    $ckey = "ccccc"; //Consumer Key
    $csecret = "sssss"; //Consumer Secret
    $tkey = "ttttt"; //Token ID
    $tsecret = "sssss"; //Token Secret    
    $timestamp= time();
    $nonce=  uniqid(mt_rand(1, 1000));
    $baseString = $httpMethod . '&' . rawurlencode($url) . "&"
        . rawurlencode("deploy=1&oauth_consumer_key=" . rawurlencode($ckey)
            . "&oauth_nonce=" . rawurlencode($nonce)
            . "&oauth_signature_method=HMAC-SHA256"
            . "&oauth_timestamp=" . rawurlencode($timestamp)
            . "&oauth_token=" . rawurlencode($tkey)
            . "&oauth_version=1.0"
            . "&projectid=" . rawurlencode($projectid) 
            . "&script=" . rawurlencode($script) 
            . "&taskid=" . rawurlencode($taskid) 
);
        $key = rawurlencode($csecret) . '&' . rawurlencode($tsecret);
        $signature = rawurlencode(base64_encode(hash_hmac('sha256', $baseString, $key, true)));
        $header = array(
            "Authorization: OAuth realm=\"$realm\", oauth_consumer_key=\"$ckey\", oauth_token=\"$tkey\", oauth_nonce=\"$nonce\", oauth_timestamp=\"$timestamp\", oauth_signature_method=\"HMAC-SHA256\", oauth_version=\"1.0\", oauth_signature=\"$signature\"",
            "Content-Type: application/json"
        );

        $curl = curl_init();

        curl_setopt_array($curl, array(
            CURLOPT_URL => $url . $url_params,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => "",
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => $httpMethod,
            CURLOPT_HTTPHEADER => $header,
        ));

        $response = curl_exec($curl);

        curl_close($curl);

        var_dump($response);```
  • Related