Netsuite Rest Web Services Signature

Question

I am working on an integration with Netsuite Rest Web Services API (not SOAP/RESTlets). I have it fully functioning in postman using the supplied collection but have not figured out the actual string for the signature and the REST documentation doesn't show anything. I have attempted to use the documentation from both of the other services and no go.

So, pulled the log from postman I have tried to replicate what I believe it to be doing in using the account id, consumer key, token, creating a nonce, and unix timestamp.

GET /rest/platform/v1/metadata-catalog/record?select=customer HTTP/1.1 Accept: application/swagger+json Authorization: OAuth realm="TSTDRV2164811", oauth_consumer_key="2bb1d46bb5f3a69fdea1ede39bf46e186bd860a15d8deaf51f7488b1e09bd2a2", oauth_token="02545230f53d0cf8fc5075f8cee01847f28131127fad358501479952bb8ce046", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1579805526", oauth_nonce="V5GBSPyMRPB", oauth_version="1.0", oauth_signature="rp6xmqnCofmVPl9D0nk48G9DVww%3D" User-Agent: PostmanRuntime/7.22.0 Cache-Control: no-cache Postman-Token: cbc0f225-374c-4ecc-8b5b-daf60469137e Host: tstdrv2164811.suitetalk.api.netsuite.com Accept-Encoding: gzip, deflate, br Cookie: NS_ROUTING_VERSION=LAGGING Connection: keep-alive

<?php

$url = 'https://TSTDRV2164811.suitetalk.api.netsuite.com/rest/platform/v1/metadata-catalog/record?select=customer';
//$url = 'https://rest.netsuite.com/app/site/hosting/restlet.nl?script=6&deploy=1&customParam=someValue&testParam=someOtherValue';
//or https://webservices.netsuite.com/services/NetSuitePort_2015_2 for webservices
$httpMethod = 'GET';
$tokenKey = '02545230f53d0cf8fc5075f8cee01847f28131127fad358501479952bb8ce046';
$tokenSecret = '8c4bb18a6ff15a699825ad833845d0a3dc3abca80aa89abe3c58f77eecd96f9e';
$consumerKey = '2bb1d46bb5f3a69fdea1ede39bf46e186bd860a15d8deaf51f7488b1e09bd2a2';
$consumerSecret = 'a684af8065f75f647ff24f58c3eeb48423907981ea7b93027f53cf63dcfd7626';
$signatureMethod = 'HMAC-SHA1';     //or HMAC-SHA256
$version = '1.0';
$nonce = 'V5GBSPyMRPB';                  //substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 10);
$timestamp = '1579805526';              //  time();
$realm = 'TSTDRV2164811';                   //scompid


$baseString = 'oauth_consumer_key='. $consumerKey;
$baseString .= '&oauth_nonce='. $nonce;
$baseString .= '&oauth_signature_method='. $signatureMethod;
$baseString .= '&oauth_timestamp='. $timestamp;
$baseString .= '&oauth_token='. $tokenKey;
$baseString .= '&oauth_version='. $version;
//$baseString .= '&realm='. $realm;

$base = urlencode($baseString);
$sign = $httpMethod .'&'. urlencode($url) .'&'. $base;
$key = urlencode($consumerSecret) .'&'. urlencode($tokenSecret);

$signature = urlencode(base64_encode(hash_hmac('sha1', $sign, $key, true)));

$output .= sprintf(
    '<root><signature>%s</signature><Nonce>%s</Nonce><Created>%s</Created></root>',
    $signature,
    $nonce,
    $timestamp
);



echo $output;

I would expect to get the above value but instead I get this

<root>
    <signature><![CDATA[MW0rGmPfcY7yxLOMSWV6jcWs6s8%3D]]></signature>
    <Nonce><![CDATA[V5GBSPyMRPB]]></Nonce>
    <Created><![CDATA[1579805526]]></Created>
</root>

I modified my previous code to what i currently am trying and still no go

Answer 1

The string that you generate a signature for has to be constructed in a very specific way.

Operation in all caps + & + URI encoded Base URL + & + URI encoded block of parameters in alphabetical order excluding realm . It also needs to include some OAuth parameters in addition to any in the web request itself like oauth_signature_method .

Here is an example in a different language of constructing the string to sign.

  // These are in alphabetical order, lower case - required by signing
  STRING2SIGN := '';
  STRING2SIGN := STRING2SIGN + 'deploy=' + SCRIPT_DEPLOYMENT_ID + '&';
  STRING2SIGN := STRING2SIGN + 'oauth_consumer_key=' + CONSUMER_KEY + '&';
  STRING2SIGN := STRING2SIGN + 'oauth_nonce=' + OAUTH_NONCE + '&';
  STRING2SIGN := STRING2SIGN + 'oauth_signature_method=' + 'HMAC-SHA1' + '&';
  STRING2SIGN := STRING2SIGN + 'oauth_timestamp=' + TIME_STAMP + '&';
  STRING2SIGN := STRING2SIGN + 'oauth_token=' + TOKEN_ID + '&';
  STRING2SIGN := STRING2SIGN + 'oauth_version=' + OAUTH_VERSION + '&';
  STRING2SIGN := STRING2SIGN + 'script=' + SCRIPT_ID;
  STRING2SIGN := URIEncode(STRING2SIGN);
  STRING2SIGN := HTTP_METHOD + '&' + URIEncode(BASE_URL) + '&' + STRING2SIGN;
  oauth_signature := URIEncode(TNetEncoding.Base64.EncodeBytesToString(THashSHA1.GetHMACAsBytes(STRING2SIGN, CONSUMER_SECRET + '&' + TOKEN_SECRET)));

Can leave out request parameters not in your request like deploy and script but need to include all the oauth_ ones and any additional ones that are included in your request.

Answer 2

There is something strange about how PostMan stitches variables together to build up the URL. If you paste in the URL, rather than the {{REST_SERVICES}} that is built up from the {{COMPANY_URL}}, you get a different signature for the same exact nonce and timestamp values. So you really can't compare what PostMan is doing vs your own code.