Server side validation always fail

[differens]

Hi,

I add your web SDK to my website like below

<script type="text/javascript" src="https://cdns.eu1.gigya.com/js/gigya.js?apikey=XXXXXXX"></script>

I handle login event in this way

gigya.accounts.addEventHandlers({
    onLogin: function(data){
        $.post("https:://urltomyserver.com", data)
    },
});

Server side i receive correctly UID, UIDSignature and signatureTimestamp but the validation below always fail

$userKey = "xxx";
$secret = "xxx";
$apikey = "xxx";
$domain = "xxx";

$isValidSession = SigUtils::validateUserSignature($UID, $signatureTimestamp, $secret, $UIDSignature); // Always FALSE

if i try (just for testing) to get the user data through the rest api, like below, using the same UID and secret, and it works!

$method = "accounts.getAccountInfo";
$request = new GSRequest($apikey, $secret, $method, NULL, true, $userKey);
$request->setAPIDomain($domain);
$request->setParam("uid", $UID);
$response = $request->send(); //OK

What could cause the verification problem and how can i fix it?

Thanks so much for the help.

Environment OS: Windows apache: 2.4 php: both php-8.1.8 and php-7.3.21

[levistepanov]

I think it is you are trying to validate it with a userKey secret. Signature can only be verified with a partner secret. You will need to in between getting the response and trying to validate it, call exchangeUIDSignature to get a signature you can then use your userkey secret with.

[differens]

Thanks for the reply! I tried both "accounts.exchangeUIDSignature" and "socialize.exchangeUIDSignature" linke below:

//$method = "socialize.exchangeUIDSignature";
$method = "accounts.exchangeUIDSignature";
$request = new GSREQUEST($apikey, $secret, $method, NULL, TRUE, $userKey);
$request->setAPIDomain($domain);
$request->setParam("UID", $UID);
$request->setParam("UIDSignature", $UIDSignature);
$request->setParam("signatureTimestamp", $signatureTimestamp);
$request->setParam("userKey", $userKey);
$response = $request->send();

But i get the error:

"errorCode": 403007, "errorDetails": "Invalid namespace 'accounts' or method 'exchangeUIDSignature' or you do not have the required permissions to call it. ", "errorMessage": "Permission denied",

What could it depend on?

Thank you for your help.

[levistepanov]

that should be everything you need. Maybe there is an issue with the userKey? can you check or create a new userKey/application key and give it Full API Access permission? Also, check the scope of the userKey. ensure that it has access to the api you are testing.

Is the userKey you are passing in the setParam the same userKey in the new GSRequest? Possibly the double userKey is causing issues? or could be that you have GSREQUEST in all caps. and it isn't working.

If it still isn't working, paste a couple of the callIds from the failed requests and i can check exactly what the problem is.

[levistepanov]

if you want to check using my test site, you can use this endpoint, this will tell us if it is your userKey or something with your implementation. This is using the PHP SDK. (note that you only have 60 seconds to exchange the signature from the time it is generated on the client-side,)

https://dev.gigyademo.com/bin/apis/exchangeUIDSignature.php

It needs to be a POST request and include the following params : dc should be in format us1.gigya.com and timestamp is the signatureTimestamp. param names are case-sensitive.

[differens]

Finally it was a permissions issue. The amministrator enabe the "accounts.exchangeUIDSignature" call for me and now the validation works perfectly.

I really appreciate the help you've given me.