We Keep Coding

object has no attribute 'encode' python 3 requests with auth

don't do much hashing or encrypted server connections but trying to make the best of it,
I'm trying to play around with the coinbase API as their documentation is pretty direct https://docs.pro.coinbase.com/?python#signing-a-message
I've reached a point where I'm stuck getting the error 'bytes' object has no attribute 'encode' when trying pass my message variable into a new hmac, all my parameters for my key, secretkey, passphrase are all strings, I have tried encoding them as ascii and as base64 and as utf-8 and I get the same error
I'm assuming my encryption ordering is somehow the problem but I haven't been able to find anything useful on other stack overflow that matches my issue so far, hoping someone can at least point out what I'm missing
def get_accounts(self):
print("getting accounts")
secret = bytes(self.secret, 'UTF-8')
#unicode objects must be encoded before hashing?? what is that??
timestamp = str(time.time())
message = timestamp + 'GET' + self.baseurl + 'accounts' + ''
message = bytes(message, 'UTF-8')
hmac_key = base64.b64decode(secret)
signature = hmac.new(hmac_key, message, hashlib.sha256)
print("signature ",signature)
#getting stuck here
signature_b64 = signature.digest().encode('base64').rstrip('\n')
headers = {
'CB-ACCESS-SIGN': signature_b64,
'CB-ACCESS-TIMESTAMP': timestamp,
'CB-ACCESS-KEY': self.api_key,
'CB-ACCESS-PASSPHRASE': self.passphrase,
'Content-Type': 'application/json'
}
r = requests.get(self.baseurl + 'accounts', headers=headers)
print (r.json())

okay I got it to produce a normal base64 encoded string, the coinbase api says the signature isn't valid but that's technically a separate issue so I'll leave that alone for now
signature_b64 = base64.b64encode(bytes(signature, 'UTF-8'))
signature_b64 = signature_b64.decode("utf-8")
print('final',signature_b64)

How to validate Slack API request?

I've a slack app that is sending to a service written in typescript that is forwarding the message to my python script where I'm trying to validate the request. However, for some reason, the validation always fails.
The typescript relevant code:
const rp = require('request-promise');
var qs = require('querystring')
export const handler = async (event: any, context: Context, callback: Callback): Promise<any> => {
const options = {
method: method,
uri: some_url,
body: qs.parse(event.body),
headers: {
signature: event.headers['X-Slack-Signature'],
timestamp: event.headers['X-Slack-Request-Timestamp']
},
json: true
};
return rp(options);
The python code (based on this article) :
def authenticate_message(self, request: Request) -> bool:
slack_signing_secret = bytes(SLACK_SIGNING_SECRET, 'utf-8')
slack_signature = request.headers['signature']
slack_timestamp = request.headers['timestamp']
request_body = json.loads(request.body)['payload']
basestring = f"v0:{slack_timestamp}:{request_body}".encode('utf-8')
my_signature = 'v0=' + hmac.new(slack_signing_secret, basestring, hashlib.sha256).hexdigest()
return hmac.compare_digest(my_signature, slack_signature))
I'm pretty sure the issue is the way I'm taking the body but tried several options and still no luck.
Any ideas?
Thanks,
Nir.

I had the same issue. My solution was to parse the payload to replace '/' by %2F and ':' by %3A. It's not explicit in the Slack doc but if you see the example, that's how it's shown:
'v0:1531420618:token=xyzz0WbapA4vBCDEFasx0q6G&team_id=T1DC2JH3J&team_domain=testteamnow&channel_id=G8PSS9T3V&channel_name=foobar&user_id=U2CERLKJA&user_name=roadrunner&command=%2Fwebhook-collect&text=&response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2FT1DC2JH3J%2F397700885554%2F96rGlfmibIGlgcZRskXaIFfN&trigger_id=398738663015.47445629121.803a0bc887a14d10d2c447fce8b6703c'
You see command and response_url are parsed.
I managed to get this working in Python. I see you ask in Typescript, but I hope this python script helps:
#app.route('/slack-validation', methods=['GET', 'POST'])
def slack_secutiry():
headers = request.headers
timestamp = request.headers['X-Slack-Request-Timestamp']
slack_payload = request.form
dict_slack = slack_payload.to_dict()
### This is the key that solved the issue for me, where urllib.parse.quote(val, safe='')] ###
payload= "&".join(['='.join([key, urllib.parse.quote(val, safe='')]) for key, val in dict_slack.items()])
### compose the message:
sig_basestring = 'v0:' + timestamp + ':' + payload
sig_basestring = sig_basestring.encode('utf-8')
### secret
signing_secret = slack_signing_secret.encode('utf-8') # I had an env variable declared with slack_signing_secret
my_signature = 'v0=' + hmac.new(signing_secret, sig_basestring, hashlib.sha256).hexdigest()
print('my signature: ')
print(my_signature)
return '', 200

It might be useful for you to check how the request validation feature is implemented in the Bolt framework:
https://github.com/slackapi/bolt-python/blob/4e0709f0578080833f9aeab984a778be81a30178/slack_bolt/middleware/request_verification/request_verification.py
Note that it is implemented as a middleware, enabled by default when you instantiate the app (see attribute request_verification_enabled).
You can inspect this behaviour and/or change it if you want to validate the requests manually:
app = App(
token=SLACK_BOT_TOKEN,
signing_secret=SLACK_SIGNING_SECRET,
request_verification_enabled=False
)

The following solution solves the problem of verification of signing secret of slack
#!/usr/bin/env python3
import hashlib
import hmac
import base64
def verify_slack_request(event: dict, slack_signing_secret: str) -> bool:
"""Verify slack requests.
Borrowed from https://janikarhunen.fi/verify-slack-requests-in-aws-lambda-and-python.html
- Removed optional args
- Checks isBase64Encoded
:param event: standard event handler
:param slack_signing_secret: slack secret for the slash command
:return: True if verification worked
"""
slack_signature = event['headers']['x-slack-signature']
slack_time = event['headers']['x-slack-request-timestamp']
body = event['body']
if event['isBase64Encoded']:
body = base64.b64decode(body).decode("utf-8")
""" Form the basestring as stated in the Slack API docs. We need to make a bytestring"""
base_string = f'v0:{slack_time}:{body}'.encode('utf-8')
""" Make the Signing Secret a bytestring too. """
slack_signing_secret = bytes(slack_signing_secret, 'utf-8')
""" Create a new HMAC 'signature', and return the string presentation."""
my_signature = 'v0=' + hmac.new(
slack_signing_secret, base_string, hashlib.sha256
).hexdigest()
''' Compare the the Slack provided signature to ours.
If they are equal, the request should be verified successfully.
Log the unsuccessful requests for further analysis
(along with another relevant info about the request).'''
result = hmac.compare_digest(my_signature, slack_signature)
if not result:
logger.error('Verification failed. my_signature: ')
logger.error(f'{my_signature} != {slack_signature}')
return result
if __name__ == '__main__':
# add correct params here
print(verify_slack_request({}, None))
Borrowed From:
https://gist.github.com/nitrocode/288bb104893698011720d108e9841b1f
Credits: https://gist.github.com/nitrocode

Using a Zapier Custom Request Webhook with JSON Web Tokens

I need to access an API that uses JSON Web Tokens as their authentication method. Is there a good way to use a python code step to create this token then add that token as a header to a custom request webhook step?

My experience authenticating with APIs has been using the simple API key method. As such I first read your question and didn't fully understand. I decided to do some research and hopefully learn something along the way, and I certainly did. I share my findings and answer below:
For starters I began reading into JSON Web Tokens(JWT) which lead me to the JWT website, which was an excellent resource. It very clearly spells out the components that make up a JWT and how they need to be formatted, I would highly recommend having a look.
From the JWT website I found that a JWT is made up of three components:
A base64 URL safe encoded header.
A base64 URL safe encoded payload.
A base64 URL safe encoded signature.
All three of the above combined form the correctly formatted JWT. Fortunately the JWT website has a list of libraries made for Python. Unfortunately none of these third-party libraries are available in the vanilla Python offered by the Zapier code module. To get this done required reading some source code and leveraging what libraries we do have available. So after a few hours and lots of trial and error I was able to come up with the following solution for generating a correctly formatted JWT:
import hashlib
import hmac
import requests
from base64 import urlsafe_b64encode
def base64url_encode(payload):
if not isinstance(payload, bytes):
payload = payload.encode('utf-8')
encode = urlsafe_b64encode(payload)
return encode.decode('utf-8').rstrip('=')
def generate_JWT(header, payload, secret):
encoded_header = base64url_encode(header)
encoded_payload = base64url_encode(payload)
signature = hmac.new(secret,
encoded_header + "." + encoded_payload,
hashlib.sha256)
encoded_signature = base64url_encode(signature.digest())
return encoded_header + "." + encoded_payload + "." + encoded_signature
def get_request(url, jwt):
headers = {
"Authorization" : "Bearer " + jwt
}
result = requests.get(url, headers=headers)
return result
secret = "yoursecrettoken"
header = '{"alg":"HS256","typ":"JWT"}'
payload = '{"sub":"1234567890","name":"John Doe","iat":1516239022}'
jwt = generate_JWT(header, payload, secret)
response = get_request("https://SomeApiEndpoint.com/api/", jwt)
You can test the output of this against the JWT's debugger here.
Note: For the encoding to work properly for the header and payload objects you have to convert them to a string object. I tried doing this by calling the JSON.dumps() function and passing the dictionary objects, but when I encoded the return values they did not match what was shown on the JWT debugger. The only solution I could find was by wrapping the dictionary objects in quotations and ensuring there were no spaces within it.
And so with the JWT in hand you can use it in your Zapier Webhooks custom get request step, or you could save the zap and send the request in the same code module using Python's request library as I have in my code example.
Thanks for the learning opportunity, and I hope this helps.

I had a similar issue trying to generate and use a JWT in a custom integration. Unfortunately, this code above did not work for my situation. I'm currently using the below javascript and it seems to be functioning perfectly.
const toBase64 = obj => {
const str = JSON.stringify (obj);
return Buffer.from(str).toString ('base64');
};
const replaceSpecialChars = b64string => {
// this will match the special characters and replace them with url-safe substitutes
return b64string.replace (/[=+/]/g, charToBeReplaced => {
switch (charToBeReplaced) {
case '=':
return '';
case '+':
return '-';
case '/':
return '_';
}
});
};
const crypto = require('crypto');
const signatureFunction = crypto.createSign('RSA-SHA256');
const headerObj = {
alg: 'RS256',
typ: 'JWT',
};
const payloadObj = {
iat: Math.round(Date.now() / 1000), // lists the current Epoch time
exp: Math.round(Date.now() / 1000) + 3600, // adds one hour
sub: '1234567890'
name: 'John Doe'
};
const base64Header = toBase64(headerObj);
const base64Payload = toBase64(payloadObj);
const base64UrlHeader = replaceSpecialChars(base64Header);
const base64UrlPayload = replaceSpecialChars(base64Payload);
signatureFunction.write(base64UrlHeader + '.' + base64UrlPayload);
signatureFunction.end();
// The private key without line breaks
const privateKey = `-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5Q+0Je6sZ6BuX
cTsN7pEzAaj4819UE7gM+Tf7U5AKHSKk3hN5UILtp5EuEO7h7H+lyknn/5txltA4
-----END PRIVATE KEY-----`;
const signatureBase64 = signatureFunction.sign(privateKey, 'base64');
const signatureBase64Url = replaceSpecialChars(signatureBase64);
console.log("Your JWT is: " + base64UrlHeader + "." + base64UrlPayload + "." + signatureBase64Url);
I have this code in a Zapier code-step prior to calling the custom integration and pass in the generated token object to authenticate the call.
Hopefully, this helps someone!

MD5 password fail in scapy based EAP-MD5 authentication scrtip

Now I'm programming EAP-MD5 authentication testing script based on scapy in my private network.
But, I've failed on 'response md5-challange' status with 'password fail'.
my script code is same below. On this routine, parameter 'pkt' is from the requested MD5-Challange EAP packet
==========================================
def response_md5_handler(pkt):
global _PASSWD
# .. skip ..
eth = pkt.getlayer(Ether)
eap = pkt.getlayer(EAP)
raw = pkt.getlayer(Raw)
mypass = _PASSWD
mychallegne = str(eap.id) + mypass + raw.load[1:]
resp = md5(mychallegne ).digest()
resp = chr(len(resp)) + resp
mypkt = _mk_eap_resp_md5(eth.dst, eap.id, resp )
sendp(mypkt)
==========================================
Earlier stages(EAPOL start, Request Identity handling, Response Identity) are no problem and I've checked 'PASSWD' string.
Could you give some guide or tip? What is my problem?

I found solution myself.
On below code,
mychallegne = str(eap.id) + mypass + raw.load[1:]
I've made mistake for 'eap.id' handling.
I should use pack("!B", eap.id) insted of the str() function.

SPOJ command line submission: What to include in POST method?

Right now I am writing a snippet allowing submitting code to http://www.spoj.com/ from command line, i.e. something like python spoj_cl.py test.cpp
I understand that I need to send a POST request to the corresponding URL with specified parameters and cookie, but I'm still confused on which parameters to include on. Right now I'm doing it in a trial-and-error method, which seems not to be very effective. My questions are:
How to check systematically which parameters to be included in when sending a POST request?
How can I check immediately if the POST request I send is successful? One way I could think of is to get the content of the submission page http://www.spoj.com/status/, but checking the request directly should be preferable.
Below is the snippet I'm working on. Hopefully it should be readable.
import requests, sys
# if __name__ == "__main__":
base_url = "http://spoj.com"
autologin_hash = "*************" # Your user hash, taken from cookie
autologin_login = "************" # Your user name
session_id = "************" # Login session, can be retrieved when logged in
cookies_info = {
"autologin_login": autologin_login,
"autologin_hash": autologin_hash
}
ext_id = {
"cpp": "1"
}
filename = "test.cpp"
problem_name = str(filename.split(".")[0]).upper()
extension = filename.split(".")[1]
submit_url = base_url + "/submit/"
parts = {
"PHPSESSID": session_id,
"action": "/submit/complete",
"file": open(filename, "rb"),
"subm_file": "",
"lang": ext_id[extension],
"problemcode": problem_name
}
requests.post(submit_url,
params={"PHPSESSID": session_id},
files=parts,
cookies=cookies_info)
print "Submission sent!"

How to check systematically which parameters to be included in when sending a POST request?
I am not a member of the site spoj.com, but what you are asking for is basic web scraping. Find the HTML form for submitting code on the website, then use Firebug or Chrome developer console to find the HTML input elements with name attributes. Once you have found them, you can make a Python script to check for these elements systematically. If one day the elements are missing, the page probably changed.
Example Code:
webpage = requests.get(form_url, params={"PHPSESSID": session_id}, cookies=cookies_info)
html = BeautifulSoup(webpage.text)
form = html.find('form')
inputs = form.findAll('input')
names = []
for i in inputs:
names.append(i['name'])
How can I check immediately if the POST request I send is successful?
Check the status code of the response. It should be 200 for successful requests.
# Make the request
r = requests.post(submit_url,
params={"PHPSESSID": session_id},
files=parts,
cookies=cookies_info)
# Check the response code
if r.status_code == '200':
print "Submission successful!"
else:
print "Submission met a status code of: %s" % r.status_code