Invalid Signature on Login

[Julian]

Think there might be a step missing from the setup instructions, or perhaps I'm doing something dumb which I haven't figured out yet, but creating a fresh install with current HEAD on develop gives me a traceback when trying to log in.

EDIT: Removed what's here, since apparently my first mistake was using OAuth 2.0. Now that I removed the redirect URL and am using 1.0a, the traceback I get is due to an invalid signature.

Traceback (most recent call last):
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flask/app.py", line 1701, in __call__
    return self.wsgi_app(environ, start_response)
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flask/app.py", line 1689, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flask/app.py", line 1687, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flask/app.py", line 1360, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flask/app.py", line 1358, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flask/app.py", line 1344, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flaskext/oauth.py", line 376, in decorated
    data = self.handle_oauth1_response()
  File "/Users/Julian/.virtualenvs/wheretomeetup/lib/python2.7/site-packages/flaskext/oauth.py", line 338, in handle_oauth1_response
    raise OAuthException('Invalid response from ' + self.name, data)
OAuthException: Invalid response from meetup

[console ready]
>>> pprint(data)
{'oauth_problem': u'signature_invalid',
 'oauth_signature': u'SeBpW4LjxcK8snUZArh1acJMjS4=',
 'oauth_signature_base_string': u'GET&https%3A%2F%2Fapi.meetup.com%2Foauth%2Faccess%2F&oauth_body_hash%3D2jmj7l5rSw0yVb%252FvlWAYkK%252FYBwk%253D%26oauth_consumer_key%3Dih6btm3l4g20tdhu756rli87gp%26oauth_nonce%3D86849833%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1346014539%26oauth_token%3D812b05e188b96c61a76de3ad226d137a%26oauth_verifier%3D00a2833b2c2840f371c997e5c00ac0cd%26oauth_version%3D1.0',
 'oauth_signature_method': u'HMAC-SHA1'}

Haven't done any poking. I'll try later when I get a minute. I hate debugging OAuth, probably since I never remember how it works and have to relearn it each time. Steps to reproduce is just checkout, pip install requirements, ran mongod run --config /usr/local/etc/mongod.conf and spun up a web server.

[dcrosta]

What do you mean you were using OAuth 2.0 instead of 1.0a? Do you mean in the settings when you create the application in Meetup's API center?

[Julian]

Yeah. In the page linked in the README it says that if when creating a consumer key you specify a return URL, it'll default to OAuth 2 responses. On Aug 26, 2012 8:28 PM, "Dan Crosta" notifications@github.com wrote:

What do you mean you were using OAuth 2.0 instead of 1.0a? Do you mean in the settings when you create the application in Meetup's API center?

— Reply to this email directly or view it on GitHubhttps://github.com/NYCPython/wheretomeetup/issues/33#issuecomment-8044787.

[dcrosta]

Could you show the contents of the resp variable in the innermost stack frame? The exception is raised when Meetup returns a non-200 response after a request for a token, so maybe that can shed more light on what's going on here.

[Julian]

>>> pprint.pprint(resp)
{'-content-encoding': 'gzip',
 'connection': 'close',
 'content-length': '573',
 'content-type': 'application/x-www-form-urlencoded;charset=UTF-8',
 'date': 'Mon, 27 Aug 2012 04:23:11 GMT',
 'server': 'Apache-Coyote/1.1',
 'status': '401',
 'vary': 'Accept-Encoding,User-Agent',
 'www-authenticate': 'OAuth realm="http%3A%2F%2F10.3.5.254", oauth_signature="uaha5Hd5xFWRZuXhF0u3LrV%2F%2B4k%3D", oauth_signature_base_string="GET%26https%253A%252F%252Fapi.meetup.com%252Foauth%252Faccess%252F%26oauth_body_hash%253D2jmj7l5rSw0yVb%25252FvlWAYkK%25252FYBwk%25253D%2526oauth_consumer_key%253Dih6btm3l4g20tdhu756rli87gp%2526oauth_nonce%253D83313018%2526oauth_signature_method%253DHMAC-SHA1%2526oauth_timestamp%253D1346041399%2526oauth_token%253D812b05e188b96c61a76de3ad226d137a%2526oauth_verifier%253D5ac68a527000f9375b0fcef42b3f989a%2526oauth_version%253D1.0", oauth_problem="signature_invalid", oauth_signature_method="HMAC-SHA1"'}

[dcrosta]

I'm still unable to reproduce this. Can you show content as well? Hopefully the body text has some useful information.

A few other things: what versions of Python and Flask-OAuth are you using?

[Julian]

Glad to know it's something on my end at least. Here's both, and I'll see if I come up with anything in the half hour I've got here to tinker.

>>> pprint.pprint(locals())
{'client': <oauth2.Client object at 0x101d72110>,
 'content': 'oauth_signature=MsX%2BPEaRsg9FyEj26cFqiPr5whM%3D&oauth_signature_base_string=GET%26https%253A%252F%252Fapi.meetup.com%252Foauth%252Faccess%252F%26oauth_body_hash%253D2jmj7l5rSw0yVb%25252FvlWAYkK%25252FYBwk%25253D%2526oauth_consumer_key%253Dih6btm3l4g20tdhu756rli87gp%2526oauth_nonce%253D97608005%2526oauth_signature_method%253DHMAC-SHA1%2526oauth_timestamp%253D1346071697%2526oauth_token%253D812b05e188b96c61a76de3ad226d137a%2526oauth_verifier%253D78dfb2d3af78c4af3938b265e585500f%2526oauth_version%253D1.0&oauth_problem=signature_invalid&oauth_signature_method=HMAC-SHA1',
 'data': {'oauth_problem': u'signature_invalid',
          'oauth_signature': u'MsX+PEaRsg9FyEj26cFqiPr5whM=',
          'oauth_signature_base_string': u'GET&https%3A%2F%2Fapi.meetup.com%2Foauth%2Faccess%2F&oauth_body_hash%3D2jmj7l5rSw0yVb%252FvlWAYkK%252FYBwk%253D%26oauth_consumer_key%3Dih6btm3l4g20tdhu756rli87gp%26oauth_nonce%3D97608005%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1346071697%26oauth_token%3D812b05e188b96c61a76de3ad226d137a%26oauth_verifier%3D78dfb2d3af78c4af3938b265e585500f%26oauth_version%3D1.0',
          'oauth_signature_method': u'HMAC-SHA1'},
 'pprint': <module 'pprint' from '/usr/local/Cellar/python/2.7.3/lib/python2.7/pprint.pyc'>,
 'resp': {'-content-encoding': 'gzip',
          'connection': 'close',
          'content-length': '571',
          'content-type': 'application/x-www-form-urlencoded;charset=UTF-8',
          'date': 'Mon, 27 Aug 2012 12:48:07 GMT',
          'server': 'Apache-Coyote/1.1',
          'status': '401',
          'vary': 'Accept-Encoding,User-Agent',
          'www-authenticate': 'OAuth realm="http%3A%2F%2F10.3.5.254", oauth_signature="MsX%2BPEaRsg9FyEj26cFqiPr5whM%3D", oauth_signature_base_string="GET%26https%253A%252F%252Fapi.meetup.com%252Foauth%252Faccess%252F%26oauth_body_hash%253D2jmj7l5rSw0yVb%25252FvlWAYkK%25252FYBwk%25253D%2526oauth_consumer_key%253Dih6btm3l4g20tdhu756rli87gp%2526oauth_nonce%253D97608005%2526oauth_signature_method%253DHMAC-SHA1%2526oauth_timestamp%253D1346071697%2526oauth_token%253D812b05e188b96c61a76de3ad226d137a%2526oauth_verifier%253D78dfb2d3af78c4af3938b265e585500f%2526oauth_version%253D1.0", oauth_problem="signature_invalid", oauth_signature_method="HMAC-SHA1"'},
 'self': <flaskext.oauth.OAuthRemoteApp object at 0x101578250>}

(wheretomeetup)...retomeetup% pip freeze                                                                                                                                                         Julian@air
Flask==0.9
Flask-Bootstrap==2.0.4-3
Flask-DebugToolbar==0.7.1
Flask-Login==0.1.3
Flask-OAuth==0.11
Flask-PyMongo==0.1.2
Flask-WTF==0.8
Jinja2==2.6
Twisted==12.1.0
WTForms==1.0.1
Werkzeug==0.8.3
blinker==1.2
coverage==3.5.2
distribute==0.6.27
-e git+https://github.com/dcrosta/flask-heroku@cddecb2653656332c4ea71b3b853b6d1f73539a5#egg=flask_heroku-dev
gunicorn==0.14.6
httplib2==0.7.4
mock==1.0b1
nose==1.1.2
oauth2==1.5.211
-e git+https://github.com/mongodb/mongo-python-driver@d239f9858683c451a76dbd685aa66ffe27566a9b#egg=pymongo-dev
pytz==2012d
sendgrid==0.1.2
sendgrid-python==0.1.1
wsgiref==0.1.2
zope.interface==4.0.1

2.7.3 for Python version.

[Julian]

OK. Fixed.

Problem was a Chrome Extension misbehaving, I'd presume AdBlock or Ghostery, but haven't narrowed it down yet, just know that disabling them fixed it. Not closing till I know for sure since neither of those are uncommon.

EDIT: Nope, not an extension after all, but works in an Incognito Window and in Safari, so it looks like I need to gut some more of my browser to figure out what's doing it.

Also, now that I know it's a browser issue, I'm on Version 22.0.1229.14 beta (Latest Beta) for Chrome in case anyone else runs into this.

EDIT EDIT: Yep, there we go, just deleting all the cookies from localhost did it, I had another cookie there that was being sent along with the POST that was messing up the signature. Apparently cookies are sent per-domain, not per-domain per port, this I don't think I knew. Anyways. There we go. Thanks for the push in the right direction.