Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth1 - Path Segments with Special Char "!" - Results in Auth Error #2192

Open
ktranlbmx opened this issue May 10, 2024 · 3 comments
Open

OAuth1 - Path Segments with Special Char "!" - Results in Auth Error #2192

ktranlbmx opened this issue May 10, 2024 · 3 comments
Labels
bug

Comments

@ktranlbmx
Copy link

A clear and concise description of what the bug is.

When using the reserved character '!', in a path segment, it returns a 401 unauthorized error.
Example:
https://.suitetalk.api.netsuite.com/services/rest/record/v1/purchaseOrder//**!**transform/vendorBill

Note: this is similar to Issue#2126. However, in that case, they were using special characters in the query parameters. However, here we are using reserved characters in the URL path segments.

To Reproduce
Note that when using postman, this end point works: https://.suitetalk.api.netsuite.com/services/rest/record/v1/purchaseOrder/30356/**!**transform/vendorBill

In C#, I am using the RestSharp library to handle authentication.
Note that we are already successfully using RestSharp to call many different NetSuite endpoints using OAuth1 authentication.
However, for this particular end point, we believe the "!" in the URL may not be handled properly.
This seems to be the only difference in this particular case.

This is the code to reproduce the issue:

private static RestRequest GenerateRestRequest(OAuthCredentials oAuthCredentials, string urlPathSegments, Method requestMethodType)
{
    var authenticator = OAuth1Authenticator.ForAccessToken(
        oAuthCredentials.ConsumerKey,
        oAuthCredentials.ConsumerSecret,
        oAuthCredentials.TokenID,
        oAuthCredentials.TokenSecret,
        OAuthSignatureMethod.HmacSha256
        );

    authenticator.Realm = oAuthCredentials.AccountID;

    RestRequest request = new RestRequest(Url.Combine(oAuthCredentials.CompanyURL, urlPathSegments), requestMethodType)
    {
        Authenticator = authenticator
    };

    return request;
}

public static async Task<RestResponse> NetSuiteTransformPOToVendorBill(this RestClient restClient, OAuthCredentials oAuthCredentials, NetSuiteVendorBill netSuitePOToVendorBillTransform, string NetSuitePOInternalID)
{
    string segmentStr = "{segment}";
    RestRequest request = GenerateRestRequest(oAuthCredentials, $"services/rest/record/v1/purchaseOrder/{NetSuitePOInternalID}/{segmentStr}/vendorBill", Method.Post);

    // I believe the "!" mark in this segment may not be handled correctly when generating the nonce or signature
    request.AddUrlSegment("segment", "!transform", false); 
    // Note: I have tried setting encoding to "true" as well
    // request.AddUrlSegment("segment", "!transform", true);

    request.AddHeader("Content-Type", "application/json");
    request.AddHeader("prefer", "transient");
    string serializedNetSuiteVendorBill = JsonConvert.SerializeObject(netSuitePOToVendorBillTransform);

    request.AddJsonBody(serializedNetSuiteVendorBill);

    return await restClient.ExecuteAsync(request);
}

Expected behavior
Returns Status: 204 No Content in Postman

Stack trace
error="token_rejected",
error_description="Invalid login attempt."
"title":"Unauthorized"
"status":401

Desktop (please complete the following information):

  • OS: Windows 11 Pro
  • .NET version .NET 6.0
  • Version RestSharp 110.2.0

Additional context

  • It works through postman
  • A NetSuite consultant we work has custom code that can hit this end point successfully (i.e. they don't use any open source libraries)
@ktranlbmx ktranlbmx added the bug label May 10, 2024
@alexeyzimarev
Copy link
Member

There was a change released in v111 to handle special characters differently. However, the test that checks the encoding according to RFC 3986 is failing now.

It would be good to add expected and actual signature strings in OAuth1 issues, otherwise it turns to a guess game.

@ktranlbmx
Copy link
Author

@alexeyzimarev
Thank you, V111.2.0 resolved the issue.
Through testing, it works if you put the special character directly in the URL now too (no need to put it into a URL Segment).

Here are the signature strings requested:

Successful REST Req with V111.2.0:
oauth_signature=""p97P4FkwbKkvLI5AirFV5Flgb%2BcdsdGUWnSg2d3zQeo%3D""

Unsuccessful REST Req with V110.2.0
oauth_signature=""w5UmuCZysIV4GvDNxMfwXQMbQ5z%2FIFZm1xR7vQ9shQE%3D""

However, I am not sure how useful these are to you without the OAuth credentials used to generate these signatures.

If you have any suggestions on how I could help further, I would be more than happy to help and provide additional info for your unit tests.

@alexeyzimarev
Copy link
Member

You don't have to provide real credentials. If you look at the tests I added, I used fixed values from Twitter OAuth1 docs that specifies values for everything, then it shows how the signature base will look like, and what the resulting signature will be. That page in their docs allowed me to create a reliable set of tests to verify that the code generates the correct signature base, and the actual signature is correct.

Could you please write a comment if there's any remaining issue now with the latest version? If yes, it'd be nice to have a repro code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexeyzimarev @ktranlbmx