Invalid Signature - String to sign

Comments

5 comments

  • Avatar
    Aleksandar Kostadinov

    Hi Oskar,

    The "Invalid Signature" error is returned mainly in two cases, 1) where the parameters being sent as part of the request are not the same as the params used as part of the signature generation or 2) if there is a fault with the logic of the signing function or the input parameters to it. In this case, you are using the built-in SDK method so that would take care of the signing logic, so we can check the parameters.

    The first parameter to "api_sign_request" should be an object with key/val pairs. Based on the code that would currently send it as a single integer type. Could you try updating that to:

    const signUpload = async () => {
    const timestamp = Math.round(newDate() /1000);
    const params = {
    timestamp: timestamp
    };
    const signature = await cloudinary.utils.api_sign_request(params, process.env.CLOUDINARY_SECRET);
    return { timestamp, signature };
    }

    Could you please try with that and let us know how it goes? Lastly, if it doesn't work, may I please ask you to log the value returned from the backend code and also the Cloudinary URL being built in the frontend as that would help us understand which part is incorrect.

    1
    Comment actions Permalink
  • Avatar
    Oskar Ahlroth

    Hi Aleksandar,

    Thanks for your response. Updated it to a object:

    const signUpload = async () => {
    const timestamp = Math.round(newDate() /1000);
    const params = {
    timestamp: timestamp
    };
    const signature = await cloudinary.utils.api_sign_request(params, process.env.CLOUDINARY_SECRET);
    return { timestamp, signature };
    }
    Returns: {
    "timestamp": 1611235683,
    "signature": "5b3ca16df184e0d09ac21f75d13dcd55a949dcf9"
    }

    Still receiving

    "Invalid Signature 5b3ca16df184e0d09ac21f75d13dcd55a949dcf9. String to sign - 'timestamp=1611235683'."

    Upload url is:

    https://api.cloudinary.com/v1_1/*****/image/upload?api_key=*******&timestamp=1611235683&signature=5b3ca16df184e0d09ac21f75d13dcd55a949dcf9
    0
    Comment actions Permalink
  • Avatar
    Aleksandar Kostadinov

    Hi Oskar,

    Thanks for updating that.

    Looking at the code it looks ok now. I calculated the signature manually in the terminal like so (replacing <API_SECRET> with the actual one):

    echo -n "timestamp=1611235683<API_SECRET>" | sha1sum

    That gives me the following signature which is the one our backend expects for that input:

    8740c60a5a2ef4a255e53100723f197caf78e2c2

    Since we know the input parameter (timestamp) is correct, that leaves the API Secret as the culprit. May I please ask you to log the value of "process.env.CLOUDINARY_SECRET" before the api_sign_request call? In addition, I noticed in the config you pass "process.env.API_SECRET" but a different environment variable in api_sign_request, could you confirm which is the right one?

    Lastly, what you can also try is to explicitly pass the API Secret string copied from your account to the api_sign_request function directly rather than passing it via an environment variable. That will eliminate the issue if it's related to the environment variable itself and we can confirm using that approach.

    1
    Comment actions Permalink
  • Avatar
    Oskar Ahlroth

    Yes haha it's the environment variable.


    All working fine now, thank you so much for helping me check this Aleksandar


    0
    Comment actions Permalink
  • Avatar
    Aleksandar Kostadinov

    You're welcome, Oskar! Glad to hear it's resolved and working for you now.

    0
    Comment actions Permalink

Please sign in to leave a comment.