H2 API search in PLAINTEXT using VB6?

[JohnPotier]

I'm using VB6 on Win11. My current project is about querying Discogs. I have registered the application with them, gotten the key & secret (strings). In my code I've come as far as checking if my (Discogs) token is missing and if it is, authenticate again.

I'm able to auhenticate, and have stored the token and secret (can be fetched with getOAuthToken(), getOAuthTokenSecret())

In the same session, just seconds later, I'm trying to search. Running the code below returns:
"401 - Unauthorized {"message": "You must authenticate to access this resource."}"

The code:

Code:

Private Sub cmdSearch_Click()
'getMyKey, getMySecret, getOAuthToken, getOAuthTokenSecret returns the strings for key, token and secrets
Dim sOAuthTimestamp As String: sOAuthTimestamp = Left(CStr(Timer * 86400), 8)
Dim sAuthorizationHeader As String, sSearchURL As String

    Dim xmlHttp As Object  '                     ' Declare and...
    Set xmlHttp = CreateObject("MSXML2.XMLHTTP") ' ...create the XMLHTTP object
    
    sAuthorizationHeader = "OAuth " & _
        "oauth_consumer_key=""" & getMyKey() & """, " & _
        "oauth_nonce=""" & getNonce(8) & """, " & _
        "oauth_signature=""" & UrlEncode2(getMySecret() & "&" & getOAuthTokenSecret()) & """, " & _
        "oauth_signature_method=""PLAINTEXT"", " & _
        "oauth_timestamp=""" & sOAuthTimestamp & """, " & _
        "oauth_token=""" & getOAuthToken() & """, " & _
        "oauth_version=""1.0"""

    'ie: https://api.discogs.com/database/search?artist=ABBA
    sSearchURL = getSearchURL(txtSearch(0).text, txtSearch(1).text, txtSearch(2).text), artist album title

    xmlHttp.Open "GET", sSearchURL, False
        xmlHttp.setRequestHeader "Authorization", sAuthorizationHeader
        xmlHttp.setRequestHeader "User-Agent", App.Title & "/" & App.Major & "." & App.Minor & " (Windows; VB6)"
        xmlHttp.send
    
    If xmlHttp.Status = 200 Then
        lblSearchResult.Caption = xmlHttp.responseText
    Else
        lblSearchResult.Caption = Now & ", error: " & xmlHttp.Status & " - " & xmlHttp.statusText & vbCrLf & xmlHttp.responseText
    End If
    Set xmlHttp = Nothing

End Sub

What am I doing wrong here?

[k_zeon]

I'm using VB6 on Win11. My current project is about querying Discogs. I have registered the application with them, gotten the key & secret (strings). In my code I've come as far as checking if my (Discogs) token is missing and if it is, authenticate again.

I'm able to auhenticate, and have stored the token and secret (can be fetched with getOAuthToken(), getOAuthTokenSecret())

In the same session, just seconds later, I'm trying to search. Running the code below returns:
"401 - Unauthorized {"message": "You must authenticate to access this resource."}"

The code:

Code:

Private Sub cmdSearch_Click()
'getMyKey, getMySecret, getOAuthToken, getOAuthTokenSecret returns the strings for key, token and secrets
Dim sOAuthTimestamp As String: sOAuthTimestamp = Left(CStr(Timer * 86400), 8)
Dim sAuthorizationHeader As String, sSearchURL As String

    Dim xmlHttp As Object  '                     ' Declare and...
    Set xmlHttp = CreateObject("MSXML2.XMLHTTP") ' ...create the XMLHTTP object
    
    sAuthorizationHeader = "OAuth " & _
        "oauth_consumer_key=""" & getMyKey() & """, " & _
        "oauth_nonce=""" & getNonce(8) & """, " & _
        "oauth_signature=""" & UrlEncode2(getMySecret() & "&" & getOAuthTokenSecret()) & """, " & _
        "oauth_signature_method=""PLAINTEXT"", " & _
        "oauth_timestamp=""" & sOAuthTimestamp & """, " & _
        "oauth_token=""" & getOAuthToken() & """, " & _
        "oauth_version=""1.0"""

    'ie: https://api.discogs.com/database/search?artist=ABBA
    sSearchURL = getSearchURL(txtSearch(0).text, txtSearch(1).text, txtSearch(2).text), artist album title

    xmlHttp.Open "GET", sSearchURL, False
        xmlHttp.setRequestHeader "Authorization", sAuthorizationHeader
        xmlHttp.setRequestHeader "User-Agent", App.Title & "/" & App.Major & "." & App.Minor & " (Windows; VB6)"
        xmlHttp.send
    
    If xmlHttp.Status = 200 Then
        lblSearchResult.Caption = xmlHttp.responseText
    Else
        lblSearchResult.Caption = Now & ", error: " & xmlHttp.Status & " - " & xmlHttp.statusText & vbCrLf & xmlHttp.responseText
    End If
    Set xmlHttp = Nothing

End Sub

Attachment 194115

What am I doing wrong here?

sorry , seen you did. are you sure the correct token is 100% correct. i remember once i had an extra return character at the end of my token. took me a while to find it

[JohnPotier]

sorry , seen you did. are you sure the correct token is 100% correct. i remember once i had an extra return character at the end of my token. took me a while to find it

Hi k_zeon, thanks for replying! I can never be completely sure ?, but I've spent a lot of time double-checking this. I believe the issue lies in the content of the `sAuthorizationHeader` variable.

If you have any sample code, I'd love to take a look at it it since I haven't found anything online yet. ChatGPT is the best I have - though we both know how "perfect" its code can be! Some good, too much bad in my opinion.

[k_zeon]

Hi k_zeon, thanks for replying! I can never be completely sure ?, but I've spent a lot of time double-checking this. I believe the issue lies in the content of the `sAuthorizationHeader` variable.

If you have any sample code, I'd love to take a look at it it since I haven't found anything online yet. ChatGPT is the best I have - though we both know how "perfect" its code can be! Some good, too much bad in my opinion.

not at home at the moment. Just something i thought of

xmlHttp.setRequestHeader "Authorization", sAuthorizationHeader

in some of my post requests i would user Bearer:

xmlHttp.setRequestHeader "Authorization", "Bearer:" & sAuthorizationHeader

not sure if relevent , as i use this to log in to TV show data retreival

[wqweto]

UrlEncode2 is very different than HMAC-SHA1 they mention for signatures with OAuth flow.

Just try using their propriatary Discogs Auth Flow which does not involve signatures like OAuth.

Something like Authorization: Discogs token=abcxyz123456 or Authorization: Discogs key=foo123, secret=bar456 is much easier to grok.

cheers,
</wqw>

[JohnPotier]

UrlEncode2 is very different</wqw>

Hi wqweto. Thanks for chiming in. Just to clarify UrlEncode2 is my own function to URLEncode:

Code:

Public Function UrlEncode2(sText As String) As String
Dim i As Long, c As String
    UrlEncode2 = ""
    For i = 1 To Len(sText)
        c = Mid$(sText, i, 1)
        Select Case Asc(c) '"-.", 0-9, A-Z, a-z, "_~"
            Case 45, 46, 48 To 57, 65 To 90, 97 To 122, 95, 126
                UrlEncode2 = UrlEncode2 & c ' Safe characters
            Case Asc(" ")
                UrlEncode2 = UrlEncode2 & "+"
            Case Else
                UrlEncode2 = UrlEncode2 & "%" & Hex(Asc(c))
        End Select
    Next i
End Function

Will try "Discogs Auth Flow"!

Cheers!

[JohnPotier]

According to Discogs Auth Flow, I can
"https://api.discogs.com/database/search?q=Nirvana" -H "Authorization: Discogs token=abcxyz123456"

I read that as I can paste this in the address line in a browser and expect to see the JSON in return:
https://api.discogs.com/database/search?q=Nirvana -H "Authorization: Discogs token=abcxyz123456"

...where I steal the token from my application (which prints keys, tokens and secrets in the immediate window)

...but instead I get:
{"message": "You must authenticate to access this resource."} in the browser.

This tells me that I'm not at all understanding how this works. I should be able to attack this from different angles. Can't !

Any suggestions?

[JohnPotier]

But api.discogs.com/database/search?q=Nirvana&key=***&secret=***
works. Yey... :- )

[wqweto]

You can’t use browser URL to pass custom headers. That’s why their documentation uses curl utility, specifically -H parameter to do what SetRequestHeader does for XMLHTTP object.

Btw, you can try their samples in command prompt using curl.exe

[JohnPotier]

You can’t use browser URL to pass custom headers...

You might be right.


According to Discogs Auth Flow, it seems like there are four ways to authenticate via the URL.
This is the simplest (I think), and it works fine, just firing this off in the address bar in a browser like Chrome.
api.discogs.com/database/search?q=Nirvana&key=***&secret=***

The JSON is returned and shown in the browser.

I would assume that would also be the case for the other three formats:
curl "https://api.discogs.com/database/search?q=Nirvana" -H "Authorization: Discogs key=foo123, secret=bar456"
curl "https://api.discogs.com/database/search?q=Nirvana" -H "Authorization: Discogs token=abcxyz123456"
curl "https://api.discogs.com/database/search?q=Nirvana&token=abcxyz123456"

It says "curl" in the beginning, I see that, but again, I've tryed the one on top here, and it works fine.

I assume the last one would work fine with a legal token. The two with the "-H" argument might not work and is probably the "custom headers" you refer to!!?

[wqweto]

Passing secrets (incl. passwords, keys, etc.) in the URL is a bad practice as URL is usually logged by intermediary proxies, web server logs, etc. so you have your password available for prying admin eyes in many places.

Using headers to pass autorization info is not done on a whim and has sound security reasons. Most public APIs even don't bother to allow passing auth in the URL as it's a long running anti-pattern from Web 1.0 era.

cheers,
</wqw>

[JohnPotier]

... is a bad practice...

I can't disagree with you there.

I'm having trouble with Discogs authorization. I'm getting internal errors about half the time. Even when I do manage to authorize, searching never works (which ismy first endevor). So, for now, I'm stuck using a less secure querying method.