Signing a message with a secret key

Edgar_Hernandez1 · April 3, 2023, 8:21pm

I am trying to sign a message which is sent as a payload for authentication. This message consists of a nonce, plus the unsigned and the signed message, including the api key which the other party should use to authenticate me.

I am using the following,

pack.setUserAuthentication({
  type: coda.AuthenticationType.Custom,
  params: [
    { name: "api_key", description: "API key." },
    { name: "api_secret", description: "API secret." },
  ],
});

I then get these values on addFormula like so

pack.addFormula({
...
  execute: async function ([from, to, text], context) {
    // Create the placeholders for the API key and secret.
    let invocationToken = context.invocationToken;
    let apiKeyPlaceholder = "{{api_key-" + invocationToken + "}}";
    let apiSecretPlaceholder = "{{api_secret-" + invocationToken + "}}";

   // Do signing of a message with "crypto" library or CryptoJS
   ...
   // Do request

I can CLEARLY see that the placeholders are not being replaced which causes the token to be incorrect. I have corroborated that my signing function works (when hardcoding the secret and api key).

I know this might be because these placeholders are probably switched only inside the scope of fetch, but is there another way I can sign tokens?

All help is totally appreciated

Eric_Koleda · April 4, 2023, 1:29pm

Hi @Edgar_Hernandez1 - Unfortunately I don’t think this will be possible with our authentication system today. The Custom auth placeholders are only replaced after you call fetch(), so any signature generation you do in your code will be using the placeholders and not the real values, leading to an invalid signature.

Can you point me to the docs for this API? If this is a standard authentication type then perhaps we can add support for it.

Edgar_Hernandez1 · April 4, 2023, 1:56pm

Hi @Eric_Koleda, thanks for the fast reply.

Sure, here you have an example
https://binance-docs.github.io/apidocs/spot/en/#signed-trade-user_data-and-margin-endpoint-security

I believe quite a bit of exchanges use this authentication method.

As a separate but related question, is the placeholder replaced remotely? Meaning that the secrets are stored on coda instead of locally?

Eric_Koleda · April 10, 2023, 8:44pm

Hi @Edgar_Hernandez1 - Thanks for the additional context, that’s really helpful. I’ll raise this case with the engineering team and see if they have any other ideas.

That is correct, for all of the authentication mechanisms the credentials are securely stored in Coda and injected into the outgoing requests. When developing using the CLI the npx coda auth command can be used to generate and store local credentials for testing, but they are never sent to the server when you upload the Pack.

Topic		Replies	Views
Authentication in packs Developers Central	2	508	January 3, 2022
Pack credentials not being passed to API Making Packs	7	317	August 25, 2023
Coda Pack Environment Variables Making Packs	6	279	September 18, 2023
Custom authentication Making Packs	9	709	October 8, 2022
Auth in Packs with API Key Developers Central	3	445	May 7, 2022

Signing a message with a secret key

Related Topics