locked
Using HMAC UNAUTHORI with postman RRS feed

  • Question

  • User729207731 posted

    I have use sample Web API security with HMAC 

    when i test on console i use code below

    class Program
        {
            static void Main(string[] args)
            {
                RunAsync().Wait();
            }
    
            static async Task RunAsync()
            {
    
                Console.WriteLine("Calling the back-end API");
    
                string apiBaseAddress = "http://localhost:43326/";
    
                CustomDelegatingHandler customDelegatingHandler = new CustomDelegatingHandler();
    
                HttpClient client = HttpClientFactory.Create(customDelegatingHandler);
    
                var order = new Order { OrderID = 10248, CustomerName = "Taiseer Joudeh", ShipperCity = "Amman", IsShipped = true };
    
                HttpResponseMessage response = await client.PostAsJsonAsync(apiBaseAddress + "api/orders", order);
    
                if (response.IsSuccessStatusCode)
                {
                    string responseString = await response.Content.ReadAsStringAsync();
                    Console.WriteLine(responseString);
                    Console.WriteLine("HTTP Status: {0}, Reason {1}. Press ENTER to exit", response.StatusCode, response.ReasonPhrase);
                }
                else
                {
                    Console.WriteLine("Failed to call the API. HTTP Status: {0}, Reason {1}", response.StatusCode, response.ReasonPhrase);
                }
    
                Console.ReadLine();
            }
    
            public class CustomDelegatingHandler : DelegatingHandler
            {
                //Obtained from the server earlier, APIKey MUST be stored securly and in App.Config
                private string APPId = "4d53bce03ec34c0a911182d4c228ee6c";
                private string APIKey = "A93reRTUJHsCuQSHR+L3GxqOJyDmQpCgps102ciuabc=";
    
                protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
                {
    
                    HttpResponseMessage response = null;
                    string requestContentBase64String = string.Empty;
    
                    string requestUri = System.Web.HttpUtility.UrlEncode(request.RequestUri.AbsoluteUri.ToLower());
    
                    string requestHttpMethod = request.Method.Method;
    
                    //Calculate UNIX time
                    DateTime epochStart = new DateTime(1970, 01, 01, 0, 0, 0, 0, DateTimeKind.Utc);
                    TimeSpan timeSpan = DateTime.UtcNow - epochStart;
                    string requestTimeStamp = Convert.ToUInt64(timeSpan.TotalSeconds).ToString();
    
                    //create random nonce for each request
                    string nonce = Guid.NewGuid().ToString("N");
    
                    //Checking if the request contains body, usually will be null wiht HTTP GET and DELETE
                    if (request.Content != null)
                    {
                        byte[] content = await request.Content.ReadAsByteArrayAsync();
                        MD5 md5 = MD5.Create();
                        //Hashing the request body, any change in request body will result in different hash, we'll incure message integrity
                        byte[] requestContentHash = md5.ComputeHash(content);
                        requestContentBase64String = Convert.ToBase64String(requestContentHash);
                    }
    
                    //Creating the raw signature string
                    string signatureRawData = String.Format("{0}{1}{2}{3}{4}{5}", APPId, requestHttpMethod, requestUri, requestTimeStamp, nonce, requestContentBase64String);
    
                    var secretKeyByteArray = Convert.FromBase64String(APIKey);
    
                    byte[] signature = Encoding.UTF8.GetBytes(signatureRawData);
    
                    using (HMACSHA256 hmac = new HMACSHA256(secretKeyByteArray))
                    {
                        byte[] signatureBytes = hmac.ComputeHash(signature);
                        string requestSignatureBase64String = Convert.ToBase64String(signatureBytes);
                        //Setting the values in the Authorization header using custom scheme (amx)
                        request.Headers.Authorization = new AuthenticationHeaderValue("amx", string.Format("{0}:{1}:{2}:{3}", APPId, requestSignatureBase64String, nonce, requestTimeStamp));
                    }
    
                    response = await base.SendAsync(request, cancellationToken);
    
                    return response;
                }
            }
    
            private void GenerateAPPKey()
            {
                using (var cryptoProvider = new RNGCryptoServiceProvider())
                {
                    byte[] secretKeyByteArray = new byte[32]; //256 bit
                    cryptoProvider.GetBytes(secretKeyByteArray);
                    var APIKey = Convert.ToBase64String(secretKeyByteArray);
                }
            }
        }

    now i want to test in postman 

    how to use with postman.

    Wednesday, May 10, 2017 4:41 AM

All replies