Re: [DUG] Xero private API (OAuth)

Mon, 07 Jul 2014 20:34:18 -0700

Brilliant !

I am almost there.  My test code, shown below, now runs but returns 'oauth_problem=signature_invalid&oauth_problem_advice=Failed%20to%20validate%20signature'



var
    HTTPStream              : TStringStream;
    FormParams              : TStringList;
    URL                     : AnsiString;
    HTTPResonse             : AnsiString;
begin
    FormParams := TStringList.Create;
    HTTPStream := TStringStream.Create('');
    try
        URL := 'https://api.xero.com/api.xro/2.0/TaxRates';

        try
            OAuthSignRequest(fIdHTTP.Request, 'TaxRates', URL, FormParams);
            fIdHTTP.Get(URL, HTTPStream);
        except
            on e : EIdHTTPProtocolException do begin
                Memo1.Text := e.ErrorMessage;
            end;
        end;
        HTTPStream.Position := 0;
        HTTPResonse := HTTPStream.ReadString(HTTPStream.Size);

        if (HTTPResonse <> '') then begin
            Memo1.Text := HTTPResonse;
        end;
    finally
        HTTPStream.Free;
        FormParams.Free;
    end;


//This is all the code in OAuthSignRequest(...)
    classFloOAuth.OAuthSignRequest(aRequest, aMethod, aURL, aFormParams, fConsumerKey, fConsumerKey, PRIVATE_KEY);


For my private key, I have opened xero_privatekey.pcks8 and set it up as a constant (without header, footer and Carriage returns)


I guess there is some sort of problem with either my Encoding or my Private key (Which comes from xero_privatekey.pcks8, created by OPenSSL as per xero instructions).  I suspect its the encoding and have rechecked the code, I discovered a number of places doing a UTF8Encode() on string values which I had changed to AnsiString, so I have changed them where appropriate to UTF8String.

Do you my any change know if there is an easy way to validate me signature? 

Cheers
Rob


 On 8/07/2014 2:45 p.m., Jolyon Smith wrote:
From the Xero API docs site:
Once you have added a private app you will be given a consumer key to use. The consumer key is also used as the access token. The consumer secret is not used for private apps.

In the original implementation from which the sample code was provided, the application allows for Consumer Key, Access Token, Consumer Secret and App Secret all to be configured separately if/as required, and whatever is configured is then passed to the request signing method.  This was to support potential OAuth based API's other than Xero which might not necessarily employ the same rules.

i.e in that application the Consumer Key and Token are configured with the same value.

In your case, for a Xero private app, use the overload which does not require any Consumer Secret but only Consumer Key, Token (for Xero, using the same value as the Consumer Key) and your application Private Key.



On 8 July 2014 14:14, Robert Martin <[email protected]> wrote:
Hi Joylon

Thanks for that.  I will make it ANSI.  Before I do I have a couple of extra questions, hopefully that will be it....

I assume conkey and consecret are my consumer public & private keys.  However I am unsure about tok (which I assume is a public token).  In a public app I would be assigned a token as part of the login process, where do I get this from for a private login?  Is it my apps name?

Cheers
Rob


  On 8/07/2014 12:56 p.m., Jolyon Smith wrote:
You can ignore the ProcessTags() calls - essentially they just do variable substitution within the strings involved.

There is no login for private Xero apps, which are tied to a specific Xero organisation.  You need to setup your application on the Xero API end for that specific organisation, to generate the required key and secrets etc which you use to do the signing of your requests.


w.r.t Unicode, the code was written for deployment with a pre-Unicode Delphi compiler.  Some of the code was either written for or adapted from libraries which were or had been ANSI-fied to ensure consistent behaviour for use with Unicode versions of Delphi, but the remaining code otherwise assumes ANSI strings.  If you are using a Unicode Delphi version you should change all declarations to ANSIString to maintain the intended behaviour and be careful of implicit string conversions when making calls into the routines.


To make it properly Unicode enabled may involve more significant change than that.



On 8 July 2014 11:43, Robert Martin <[email protected]> wrote:
Hi Cameron 

Sorry to bug you but....  I have the code installed and compiling however I am a bit unsure as to the process involved.

For Public apps you go through a process of logging in and getting a token. 

For private applications do you just call the API you want and encode the call using 'OAuthSignRequest(fHTTP.Request, 'POST', lURL);' or do you need to do some sort of log in as well?

In the OAuthSignRequest method there are calls to a function called ProcessTags( as below...

   conkey    := ProcessTags(OAuthConsumerKey,    Locals, Partner);
    consecret := ProcessTags(OAuthConsumerSecret, Locals, Partner);
    tok       := ProcessTags(OAuthTokenKey,       Locals, Partner);
    toksecret := ProcessTags(OAuthTokenSecret,    Locals, Partner);

I guess this function would be in the classFloCommon.pas (not included) that we 'can easily replace'.  Unfortunately I have no idea what this function does or what its inputs are asside from it returning a string and that all the parameters are globals !  Any hints?


Sorry to be a pain but this OAuth stuff is like pulling teeth.


Cheers
Rob



On 8/07/2014 9:54 a.m., Cameron Hart wrote:

this code has been shared with Xero a while ago on their forum.  there’s a copy on ftp://ftp.flow.net.nz/RELEASE/Code/

 

 

Cameron Hart


Flow Software Limited



Flow

PO Box 302 768, North Harbour

P

+64 9 476 3569

Auckland 0751, New Zealand

M

+64 21 222 3569


www.flowsoftware.co.nz

E

[email protected]

 

This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone.

  P Please consider the environment before printing this email

 

 

From: [email protected] [mailto:[email protected]] On Behalf Of Jolyon Smith
Sent: Tuesday, 8 July 2014 9:14 a.m.
To: NZ Borland Developers Group - Delphi List
Subject: Re: [DUG] Xero private API (OAuth)

 

This was a nut I had to crack at Flow.  I was successful in this endeavour but I'm not at liberty to share the fruits of those labors.  If you ask nicely however, Cameron might be willing to help.

 

On 8 July 2014 08:52, Robert Martin <[email protected]> wrote:

Hi

I have been doing some work with the Xero API and have public OAuth
working fine.  However I actually need to use the private API which
requires RSA-SHA1  which I believe just means RSA signing.  Is that correct?


If so does anyone have any code examples of RSA signing, I have found
LockBox 3 which is supposed to do it but I just cant get it installed,
although the source has a XE2 project group the code is full of errors !

I am looking at using the openSLL dll calls to do it myself as an
alternative but sample code is scarce. I will continue looking but if
anyone has any pointers I would be grateful :)

Cheers
Rob

_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: [email protected]
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to [email protected] with Subject: unsubscribe

 



_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: [email protected]
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to [email protected] with Subject: unsubscribe


No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4716 / Virus Database: 3986/7813 - Release Date: 07/07/14



_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: [email protected]
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to [email protected] with Subject: unsubscribe



_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: [email protected]
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to [email protected] with Subject: unsubscribe


No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4716 / Virus Database: 3986/7813 - Release Date: 07/07/14



_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: [email protected]
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to [email protected] with Subject: unsubscribe



_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: [email protected]
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to [email protected] with Subject: unsubscribe


No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4716 / Virus Database: 3986/7813 - Release Date: 07/07/14




_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: [email protected]
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to [email protected] with 
Subject: unsubscribe

Reply via email to