search

ScaleLeap / amazon-mws-api-sdk

A fully typed TypeScript and Node.js Amazon MWS API Unofficial SDK
https://npm.im/@scaleleap/amazon-mws-api-sdk
MIT License
20 stars 12 forks source link

Failing live requests #12

Closed moltar closed 4 years ago

moltar commented 4 years ago

Create an integration test that runs against live API.

Seems like there is a failure. I think it might be with query sorting?

This is how MWS Scratchpad runs the query:

?AWSAccessKeyId=$key
&Action=ListMarketplaceParticipations
&SellerId=$ID
&MWSAuthToken=$token
&SignatureVersion=2
&Timestamp=2020-05-03T05%3A41%3A42Z
&Version=2011-07-01
&Signature=$sig
&SignatureMethod=HmacSHA256

And this is how we do it:

?AWSAccessKeyId=$key
&Action=ListMarketplaceParticipations
&MWSAuthToken=$token
&SellerId=$ID
&Signature=$sig
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Timestamp=2020-05-03T05%3A42%3A08.282Z
&Version=2011-07-01

You can actually try the scratchpad, even if you don't have the credentials:

https://mws.amazonservices.ca/scratchpad/index.html

Just put x in all of the auth params. The query will fail, but you can still see the request being made in the Request Details tab.

gigobyte commented 4 years ago

The request from Scratchpad is strange since the params are not actually sorted: "Sort the UTF-8 query string components by parameter name with natural byte ordering".

moltar commented 4 years ago

Hm strange. Maybe see how other libs have implemented that?

gigobyte commented 4 years ago

I copied the implementation from bizon/mws-sdk, see in PR here

gigobyte commented 4 years ago

Does the response say what went wrong? Also can you compare the Signatures, we might be calculating it wrong.

moltar commented 4 years ago 
<?xml version="1.0"?>
<ErrorResponse xmlns="https://mws.amazonservices.com/Sellers/2011-07-01">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
  </Error>
  <RequestID>5badbcfb-8a0b-4ea5-b33d-e3e9bbbbe544</RequestID>
</ErrorResponse>
gigobyte commented 4 years ago

When I compare the string to sign from Scratchpad and from the library (with "x" on every field):

POST
mws.amazonservices.ca
/Sellers/2011-07-01
AWSAccessKeyId=x&Action=ListMarketplaceParticipations&MWSAuthToken=x&SellerId=x&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2020-05-03T11%3A59%3A11Z&Version=2011-07-01
POST
mws.amazonservices.ca
/Sellers/2011-07-01
AWSAccessKeyId=x&Action=ListMarketplaceParticipations&MWSAuthToken=x&SellerId=x&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2020-05-03T11%3A49%3A46.173Z&Version=2011-07-01

they are identical.

moltar commented 4 years ago

I have tried many things. And lots of Googling.

Ok, I think I might have finally some solid idea.

Signature is Base64, which can contain some characters that URLSearchParams will escape. But I think we don't want to do that.

So we need to build the query string somehow else, or just append the signature manually at the end.

moltar commented 4 years ago

This is the source of my idea: https://stackoverflow.com/a/28622532/1566758

moltar commented 4 years ago

The latest changes produce a different error:

<?xml version="1.0"?>
<ErrorResponse xmlns="https://mws.amazonservices.com/Sellers/2011-07-01">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidParameterValue</Code>
    <Message>Either Action or Operation query parameter must be present.</Message>
  </Error>
  <RequestID>173bbba9-fdb2-48f5-a7f9-8b62e2641c84</RequestID>
</ErrorResponse>
moltar commented 4 years ago

This might be of use too: https://github.com/mhart/aws2/blob/master/aws2.js

gigobyte commented 4 years ago

The code example from the dev guide does urlencode the signature though: image

moltar commented 4 years ago

I would put very little trust into the docs 😂

gigobyte commented 4 years ago

The bizon/mws-sdk library does it as well.

moltar commented 4 years ago

Plus we don't know what is the implementation of urlEncode...

gigobyte commented 4 years ago

Plus we don't know what is the implementation of urlEncode...

It's on the bottom of the code example: http://docs.developer.amazonservices.com/en_IN/dev_guide/DG_SigningQueryRequest.html

moltar commented 4 years ago

FYI can confirm that @bizon/mws-sdk works fine with the same params.

moltar commented 4 years ago

Why do they call update twice? Any significance here?

https://github.com/bizon/mws-sdk/blob/f2aa5e1ab36c9323ff3c8654828255a3b6a0421a/lib/client/sign.js#L9

gigobyte commented 4 years ago

I have no idea why they do that. Other libraries don't - 1, 2, 3

Looking at the docs for update it shouldn't make a difference.

moltar commented 4 years ago

Oh, scratch pad is actually sending POST params as body, not as query string!

moltar commented 4 years ago

yup that works :)

moltar commented 4 years ago

Pushed my POC to bug/sig-fail. It needs cleanup / rework, but it does work and test passes.

gigobyte commented 4 years ago

Nice!