Oauth 1 signature generation

Hi,

I am nearing the end of my evaluation of K6, love the tool but I am stuck on generating an oauth 1.0 signature. I feel there is a difference to how crypto and cryptoJS generate the hmac value.

I am calling Netsuite RestAPI and the call works fine in Postman, but when I try to create the oauth headers I am getting an different oauth signature.

Below is my code. I’m hoping somebody can get me over this final hurdle before we commit to K6 as our load testing platform.

let response
  var oauth_timestamp = Math.round((new Date()).getTime() / 1000.0);
  var oauth_nonce = "";
  var method = "POST";
  var httpurl = "https://<<REALM>>.suitetalk.api.netsuite.com/services/rest/record/v1/salesorder";
  var consumer_key = "XXX";
  var consumer_secret = "XXX";
  var token = "XXX";
  var token_secret = "XXX";

  //oauth_timestamp = "1664451573";
  console.log("Timestamp: " + oauth_timestamp);
  
  var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  for (var i = 0; i < 20; i++) {
    oauth_nonce += possible.charAt(Math.floor(Math.random() * possible.length));
  }
  console.log("Nonce: " + oauth_nonce);

//POST method has to be uppercase
//url has to be lowercase
  var sigBaseStrig = method + "&" + encodeURIComponent(httpurl) + "&";
  sigBaseStrig += encodeURIComponent("oauth_consumer_key=" + consumer_key + "&");
  sigBaseStrig += encodeURIComponent("oauth_nonce=" + oauth_nonce + "&");
  sigBaseStrig += encodeURIComponent("oauth_signature_method=HMAC-SHA256&");
  sigBaseStrig += encodeURIComponent("oauth_timestamp=" + oauth_timestamp + "&");
  sigBaseStrig += encodeURIComponent("oauth_token=" + token + "&");
  sigBaseStrig += encodeURIComponent("oauth_version=1.0");
  
  console.log("SigHash: " + sigBaseStrig);

  var secret_signing_key = encodeURIComponent(consumer_secret) + '&' + encodeURIComponent(token_secret);

  let oauth_signature = crypto.createHmac('sha256', secret_signing_key);
  oauth_signature.update(sigBaseStrig);

  console.log(encodeURIComponent(oauth_signature.digest('base64')));

  // CreateSalesOrder
  response = http.post(
    httpurl,
    '{\r\n\t"entity": { "id": "20833652" },\r\n\t"item": {\r\n\t\t"items": [{\r\n\t\t\t"item": { "id": "19111" },\r\n\t\t\t"rate": 10\r\n\t\t}]\r\n\t}\r\n}',
    {
      headers: {
        Authorization:
          'OAuth realm="<<REALM>>",oauth_consumer_key="' + consumer_key + '",oauth_nonce="' + oauth_nonce + '",oauth_signature_method="HMAC-SHA256",oauth_timestamp="' + oauth_timestamp + '",oauth_token="' + token + '",oauth_version="1.0",oauth_signature="' + encodeURIComponent(oauth_signature) + '"',
        'Content-Type': 'application/json',
        Cookie: 'NS_ROUTING_VERSION=LAGGING',
      },
    }
  )

Thanks,

Gareth

Hi @gaz_lhg

Welcome to the forum, I’ll try my best to offer some support here :smile:

Could please specify which version of k6 you’re using, and also which version of cryptoJS you’re comparing your results to?

I’m personally not too familiar with the OAuth v1 protocol. Because cryptography is somewhat tricky to test, It would be super helpful if you could fulfill your example script with dummy values, and the computed resulting values that you’d expect. That way I would be able to use the test script locally and assert if I’m actually making progress :bowing_man:

Thanks!