SHA HMAC encrypting for API authentication

Dazzling_Okapi · March 3, 2023, 6:51am

I’m trying to access BrickLink’s API through Scriptables, but I’m stuck at the authentication process. Here is a working script in NodeJS:

const OAuth = require('oauth');

var oauth = new OAuth.OAuth('', '', 'consumer_key', 'consumer_secret', '1.0', null, 'HMAC-SHA1');

oauth.get('https://api.bricklink.com/api/store/v1/inventories', 'token_value', 'token_secret', function(error, data, res) {
    if (error) console.error(error);

    var obj = JSON.parse(data);

    console.log(obj.data)
});

This script gets the API output for a request for your store’s inventory.
I have tried using the methods in the 2 other topics about HMAC-SHA encrypting:
Is there a way to generate a sha256 HMAC hash in scriptable? and Feature Request: HMAC256 and other crypto functions
Although the posts are talking about HMAC-SHA256, I tried some of the things they proposed, especially saving modules (the scripts proposed didn’t work). There is a Shortcut at the end that contains a library called jsSha2 that has everything but SHA-1.
The closest I’ve gotten to it actually working is jsSha in this script:

const jsSHA = importModule('jsSHA');

const appKey = 'appKey ';
const appSecret = 'appSecret ';
const tokenValue = 'tokenValue ';
const tokenSecret = 'tokenSecret ';

const baseUrl = 'https://api.bricklink.com/api/store/v1/inventories';
const queryParams = `oauth_consumer_key=${appKey}&oauth_token=${tokenValue}&oauth_signature_method=HMAC-SHA1`;

const oauthSignature = encodeURIComponent(appSecret) + '&' + encodeURIComponent(tokenSecret);

const shaObj = new jsSHA('SHA-1', 'TEXT');
shaObj.setHMACKey(oauthSignature, 'TEXT');
shaObj.update('GET');
shaObj.update('&' + encodeURIComponent(baseUrl));
shaObj.update('&' + encodeURIComponent(queryParams));
const signature = shaObj.getHMAC('B64');

const authHeader = {
  'Authorization': `OAuth oauth_consumer_key="${appKey}", oauth_token="${tokenValue}", oauth_signature_method="HMAC-SHA1", oauth_signature="${encodeURIComponent(signature)}"`
};

const url = `${baseUrl}?${queryParams}&oauth_signature=${encodeURIComponent(signature)}`;

req = new Request(url);
req.headers = authHeader;
req.loadJSON().then((resp) => {console.log(resp)}, false);

But the API returns

{"meta":{"message":"BAD_OAUTH_REQUEST","code":401,"description":"VERSION_REJECTED: Invalid OAuth Parameters"}}

I’d like everything to be compact - at best 1 file and at worst - 3-4 libraries.
Thanks in advance!

Cezar_Almeida · March 8, 2023, 4:34am

Instead of bringing in JS files, use the webview’s evaluateJavascript feature.
Use in the header, and then use evaluateJavascript to run the function in it, which can be returned in your scriptable function. And this will be very stable, no failures due to encrypted libraries needing to be updated or missing.