Use woocommerce rest api v1 with http and javascript (not https)

Question

Im using oauth-signature to generate my oauth-signature for connection with woocommerce api. I followed all the steps stated at woocommerce rest api documentation:

The required parameters are: oauth_consumer_key, oauth_timestamp, oauth_nonce, oauth_signature, and oauth_signature_method. oauth_version is not required and should be omitted. The OAuth nonce can be any randomly generated 32 character (recommended) string that is unique to the consumer key. etc...

But the following request still returns unauthorized:

http://siglar.no/wp-json/wc/v1/orders?oauth_consumer_key=ck_1ca1c6ff1a93de4836ee52c766538043d7f15d07&oauth_timestamp=1482431903&oauth_nonce=P5SM1FGeFVpdRyHWp4HHYOMlYAhxE6Gl&oauth_signature=cEETZUnSNQD6uorII9c%2B5SXf0M8%3D&oauth_signature_method=HMAC-SHA1

(Dont worry, the keys are only for local use)

Response:

{"code":"woocommerce_rest_cannot_view","message":"Beklager, du kan ikke liste ressurser.","data":{"status":401}}

Im using WP 4.7, WC 2.6.9, API Activated for WC, SSL Deactivated for WC etc..

I also checked that this is done as required by the library:

Generate the signature using the signature base string and your consumer secret key with a & character with the HMAC-SHA1 hashing algorithm.

The timezone is UNIX, and the nonce should be generated as required. So does some of you spot the problem? Here is my code:

constructor(private http: Http) {

    var d = new Date();
    var httpMethod = 'GET',
        url = 'http://siglar.no/wp-json/wc/v1/orders',
        ck = 'ck_1ca1c6ff1a93de4836ee52c766538043d7f15d07',
        cs = 'cs_ce323425064c37688d614e4ff43a5489c6f78017',
        sm = 'HMAC-SHA1',
        nc = this.nonceGen(),
        timestamp = Math.floor(d.getTime()/ 1000),
        parameters = {
            oauth_consumer_key : ck,
            oauth_timestamp : timestamp,
            oauth_nonce : nc,
            oauth_signature_method : sm
        },
        // generates a RFC 3986 encoded, BASE64 encoded HMAC-SHA1 hash
        encodedSignature = oauthSignature.generate(httpMethod, url, parameters, cs);

    this.http.get(
        url + '?oauth_consumer_key='+ck+'&oauth_timestamp='+timestamp+'&oauth_nonce='+nc+'&oauth_signature='+encodedSignature+'&oauth_signature_method='+sm
    ).subscribe(data => {
        console.log('fetched');
        console.log(data);
    });

}

public nonceGen() {
    let length = 32;
    let text = "";
    let possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
    for(let i = 0; i < length; i++) {
        text += possible.charAt(Math.floor(Math.random() * possible.length));
    }
    return text;
}

Anyone else had any luck with this?

Answer 1

I did finally get it working.

Somehow it wouldnt work for my local wordpress installation, but it did work for my live wordpress site:

Angular2 code:

constructor(private http: Http) {

    var oauth = OAuth({
        consumer: {
            key: 'ck_...',
            secret: 'cs_...'
        },
        signature_method: 'HMAC-SHA1',
        hash_function: function(base_string, key) {
            return CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA1(base_string, key));
        }
    });

    var requestData = {
        url: 'http://siglarweb.no/wp-json/wc/v1/orders',
        method: 'GET'
    };

    this.http.get(
        requestData.url + '?' + jQuery.param(oauth.authorize(requestData))
    ).subscribe(data => {
        console.log(data);
    });

}

libraries used (installed via npm):

npm install crypto-js --save npm install oauth-1.0a --save

Required files:

"scripts": [
    "../node_modules/crypto-js/crypto-js.js",
    "../node_modules/oauth-1.0a/oauth-1.0a.js"
  ]

Answer 2

We have met issues with a 401 unauthorised response with response code like woocommerce_rest_invalid_signature.

And it turns out that the URL we used when hashing is different from the URL we accessed, the URL used in the hash is missing the trailing slash.