6. Signature

Signature is used by RemitPro to verify that your request is not altered by attackers. The outline of the HMAC validation process is as follows:

Retrieve Timestamp from HTTP Header (Date)

Retrieve the API Key form HTTP Header (ClientSecret)

Lookup the API Secret corresponding to the received key in internal store

Retrieve client HMAC from HTTP Header (Signature)

Calculate HMAC using the API Secret as the HMAC secret key

Compare client HMAC with calculated HMAC

6.1 Generate Signature

SHA-256 HMAC is used to generate the signature with your API secret as the key.
Signature = HashBase64Encode (HmacSHA256(StringToSign, hmacSecret)).

The StringToSign will be a colon-separated list derived from some request data as below:

StringToSign = "(request-target):" +" " + HTTPMethod + " " + RelativeUrl +"\n" + "date: " + FormatDate
Example StringToSign: (request-target): post /customer
date: 2020-02-03T10:00:00.000+07:00

And the result for generate signature put in variable Signature header as below:

RemitPro-Signature = "Signature KeyId=" + hmacKey + ",algorithm="hmac-sha256",headers="(request-target) date",signature="" + Signature + ""

Example result Signature data:

Signature
KeyId="5ed0eee4e661f9128fbcb02295b77f27c5c841438f0508e6a00b2a47",algorithm="hmac-
sha256",headers="(request-target)
date",signature="BLWYsI1XqbWSJ6nPhhnZmrlRm%2FKZJkzRkUuhW2a5td4%3D"

6.2 Sample Pre-request Script

pm.sendRequest({
url: pm.environment.get("hostname") + "/authentication-server/oauth/token",
method: 'POST',
header: {
'Accept': 'application/json',
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': pm.environment.get("basicOAuth2")
},
body: {
mode: 'urlencoded',
urlencoded: [
{ Key: "grant_type", value: "client_credentials", disabled: false }
]
}
}, function (err, res) {
pm.globals.set("token", res.json().access_token);
console.log(res.json().access_token)
});
var randomNumber = Math.floor(Math.random() * (9999999999999999 - 100000 + 1)) + 100000;
var request = {
}
var body = JSON.stringify(request);
var replaceBody = body.replace(/\n/g, "").replace(/\r/g, "").replace(/\t/g, "").replace(/\s/g, "");
var digestBody = CryptoJS.SHA256(replaceBody);
var dateRequest = new Date().toGMTString();
var hmacKey = pm.environment.get("hmacKey");
var hmacSecret = pm.environment.get("hmacSecret");
var url = pm.request.url.getPathWithQuery();
var signatureContentString = "(request-target): post " + url + "\n";
signatureContentString = signatureContentString + "date: " + dateRequest;
//signatureContentString = signatureContentString + "RemitPro-digest: " + digestBody;
var hash = CryptoJS.HmacSHA256(signatureContentString, hmacSecret);
var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);
var hashInBase64UrlEncoded = encodeURIComponent(hashInBase64);
var signature = 'Signature KeyId="' + hmacKey + '",algorithm="hmac-sha256",headers="(request-target) date",signature="' + hashInBase64UrlEncoded + '"';
postman.setGlobalVariable("digestBody", digestBody);
postman.setGlobalVariable("body", body);
postman.setGlobalVariable("dateRequest", dateRequest);
postman.setGlobalVariable("signature", signature);

6.1 Generate Signature#

6.2 Sample Pre-request Script#

6.1 Generate Signature

6.2 Sample Pre-request Script