Happy Business Starts Here

Tutor

Invalid create account signature

We have noticed an intermittent problem with the REST API when trying to create accounts. In our implementation, when the user is creating an account they input their method via the Hosted Payment Page. Our webpage then issues an API call for our API layer to get an HMAC create account signature since our app is a web app built with Ember.js and to get the HMAC signature as shown in the Zuora examples would require us to leave the credentials in the app code which could be viewed by anyone using the "View Source" option in their browser (minifying just makes it harder to find, not impossible). In any event, once the HMAC signature is obtained, the app calls the Zuora REST API to create the account. The REST method fails and the reason code is "Invalid signature". This is "I wanna punch somebody" frustrating because the we check the call to get the signature to make sure the success attribute in the response contents is true.

 

I created a HAR file (which is basically a JSON file) of the entire exchange, but here are the interesting bits. First, the getting the create account signature:

 

{
"startedDateTime": "2016-09-29T18:49:43.809Z",
"time": 274.96199999950477,
"request": {
"method": "POST",
"url": "https://api.traceablelive.com/zyzzyx/GetCreateAccountSignature",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Origin",
"value": "https://www.traceablelive.com"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate, br"
},
{
"name": "X-apikey",
"value": "344"
},
{
"name": "Host",
"value": "api.traceablelive.com"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.8"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Referer",
"value": "https://www.traceablelive.com/account/payment/recover"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "X-apinamekey",
"value": "HealthSouth Tustin"
},
{
"name": "X-useremail",
"value": "maryam.jouharzadeh@healthsouth.com"
},
{
"name": "Content-Length",
"value": "0"
},
{
"name": "DNT",
"value": "1"
}
],
"queryString": [],
"cookies": [],
"headersSize": 538,
"bodySize": 0
},
"response": {
"status": 200,
"statusText": "OK",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Access-Control-Allow-Origin",
"value": "https://www.traceablelive.com"
},
{
"name": "Date",
"value": "Thu, 29 Sep 2016 18:51:11 GMT"
},
{
"name": "Access-Control-Allow-Credentials",
"value": "true"
},
{
"name": "Server",
"value": "Microsoft-IIS/8.5"
},
{
"name": "X-Powered-By",
"value": "ASP.NET"
},
{
"name": "Content-Length",
"value": "145"
},
{
"name": "Content-Type",
"value": "application/json; charset=utf-8"
}
],
"cookies": [],
"content": {
"size": 145,
"mimeType": "application/json",
"compression": 0,
"text": "{\"signature\":\"MmYzOWZhYjgxZTYyOWI2NjNjMDg4YTllYmQyNzM4ZTBhOWVlMjg5Ng==\",\"token\":\"VWrFSh1QY6gMEj4JrFYXYQ89AM3n88gM\",\"success\":true,\"reasons\":null}"
},
"redirectURL": "",
"headersSize": 274,
"bodySize": 145,
"_transferSize": 419
},
"cache": {},
"timings": {
"blocked": 0.313000000460306,
"dns": -1,
"connect": -1,
"send": 0.14100000043981697,
"wait": 273.8680000002209,
"receive": 0.6399999983837574,
"ssl": -1
},
"serverIPAddress": "40.84.147.206",
"connection": "81239"
}

 

So, as you can see, Zuora has returned to us a token and signature which is passed back to the web app. The next thing to do is to create the account, which is done by calling the CORS Enabled Zuora REST API method:

 

{
"startedDateTime": "2016-09-29T18:49:44.344Z",
"time": 127.82700000025216,
"request": {
"method": "POST",
"url": "https://api.zuora.com/rest/v1/accounts",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Origin",
"value": "https://www.traceablelive.com"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate, br"
},
{
"name": "Host",
"value": "api.zuora.com"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.8"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
},
{
"name": "Content-Type",
"value": "application/json"
},
{
"name": "Accept",
"value": "application/json"
},
{
"name": "Referer",
"value": "https://www.traceablelive.com/account/payment/recover"
},
{
"name": "signature",
"value": "MmYzOWZhYjgxZTYyOWI2NjNjMDg4YTllYmQyNzM4ZTBhOWVlMjg5Ng=="
},
{
"name": "DNT",
"value": "1"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Content-Length",
"value": "710"
},
{
"name": "token",
"value": "VWrFSh1QY6gMEj4JrFYXYQ89AM3n88gM"
}
],
"queryString": [],
"cookies": [],
"headersSize": 573,
"bodySize": 710,
"postData": {
"mimeType": "application/json",
"text": "{\"accountNumber\":344,\"name\":\"Some Company Tustin \",\"currency\":\"USD\",\"autoPay\":true,\"billToContact\":{\"firstName\":\"Notmy\",\"Realname\":\"jouharzadeh\",\"address1\":\"14851 yorba street\",\"address2\":null,\"city\":\"tustin\",\"state\":\"ca\",\"zipCode\":\"92780\",\"country\":\"United States\",\"workEmail\":\"notmyrealname@notmyrealjob.com\",\"workPhone\":\"7145551212\"},\"hpmCreditCardPaymentMethodId\":\"2c92a0fe576f2f9401577749415166a3\",\"subscription\":{\"termType\":\"TERMED\",\"initialTerm\":12,\"autoRenew\":true,\"renewalTerm\":12,\"contractEffectiveDate\":\"2016-09-29\",\"subscribeToRatePlans\":[{\"productRatePlanId\":\"2c92a0fb517b223d015182fcb1f52803\",\"chargeOverrides\":[{\"productRatePlanChargeId\":\"2c92a0f9517b0e11015182fcb4fc74ef\",\"quantity\":0}]}]}}"
}
},
"response": {
"status": 401,
"statusText": "Unauthorized",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Date",
"value": "Thu, 29 Sep 2016 18:51:12 GMT"
},
{
"name": "Server",
"value": "Zuora App"
},
{
"name": "Content-Type",
"value": "application/json;charset=utf-8"
},
{
"name": "Access-Control-Allow-Origin",
"value": "https://www.traceablelive.com"
},
{
"name": "Cache-Control",
"value": "max-age=0, no-cache, no-store"
},
{
"name": "Access-Control-Allow-Credentials",
"value": "true"
},
{
"name": "Connection",
"value": "close"
},
{
"name": "Content-Length",
"value": "108"
},
{
"name": "Expires",
"value": "Thu, 29 Sep 2016 18:51:12 GMT"
}
],
"cookies": [],
"content": {
"size": 108,
"mimeType": "application/json",
"compression": 0,
"text": "{\n \"success\" : false,\n \"reasons\" : [ {\n \"code\" : 90000011,\n \"message\" : \"Invalid signature.\"\n } ]\n}"
},
"redirectURL": "",
"headersSize": 375,
"bodySize": 108,
"_transferSize": 483
},
"cache": {},
"timings": {
"blocked": 0.313000000460306,
"dns": -1,
"connect": -1,
"send": 0.16599999980826396,
"wait": 126.77299999995743,
"receive": 0.5750000000261508,
"ssl": -1
},
"serverIPAddress": "23.4.37.171",
"connection": "81249"
}

 

But NOW, the CreateAccount method is saying the signature we sent is invalid. Frustrating. If anyone has seen this problem and has a solution, I'd be happy to hear from ya

 

Thanks in advance!

 

Tags (2)
1 REPLY 1
Highlighted
Community Manager

Re: Invalid create account signature

Hi @russd2357!

 

It looks like you've been working with a couple of our agents on this. We'll keep you posted...

 

Thanks,

Lana


Lana Lee | Senior Community Manager and Strategist
"A little consideration, a little thought for others, makes all the difference." —A. A. Milne