help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Misleading API Error. 201 w/ Invalid Signature

‎03-19-2015 11:44 - edited ‎03-19-2015 11:44

‎03-19-2015 11:44 - edited ‎03-19-2015 11:44

Salutations. I just wanted to point out an error I had and went trekking down the wrong path looking for a solution for several hours because of it. Fitbit API is my first time doing anything with oauth so that may have something to do with it, but also the error message seems incorrect per the documentation of the response formats and errors.

 

I am using an already built OAuth library for iOS. However, this library had a small mistake that was causing a bad request URL to be sent up with a POST. Which I suspect is why the oauth_signature did not match up when generated on the server, even though the signature is generated correctly. So sending up a bad request URL was making the server send me back an error saying "Invalid signature: <insert sig>". I spent a good amount of time looking at the signature generation and making sure that was done correctly by consulting the OAuth 1.0a specs. It seemed correct.

I then thought to verify the status code of the response. That status code was 201, meaning "created", and yet I was getting back a message telling me that the issue was oauth_signature. The Fitbit API docs say that an invalid oauth_signature should generate a status code of 401. Could the error message coming back in this case of a bad request url be more helpful and say something about the request url... though I guess that would be hard to say that it is wrong just because the oauth sigs don't match. Well regardless if it was an auth error I would have expected a 401 status code.

 

Hope all I've said is in someway useful. Regards.

 

 

Best Answer
Labels:
0 Votes
2 REPLIES 2

‎03-19-2015 12:29

‎03-19-2015 12:29

Please provide exact request you're making and responses you're getting.

You can mask/void the security-sensitive data.

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎03-19-2015 13:35

In response to ibahdanau

‎03-19-2015 13:35

I have resolved the issue by addressing the incorrect request URL that was being sent up to the server from the client. Sorry I did not clarify that it was resolved.

 

What I wanted to point out to the API Devs is that the error message is a little misleading. I'm not sure if it could have been made more clear what was wrong with the request. Here are the details of what I was sending however to get the 201 and invalid oauth_signature error:

 

This is the base string: 

POST&https%3A%2F%2Fapi.fitbit.com%2F1%2Fuser%2F-%2Fdevices%2Ftracker%2F25824177%2Falarms.json&enabled%3Dtrue%26oauth_consumer_key%3D<REDACTED>%26oauth_nonce%3D<REDACTED>%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1426796424%26oauth_token%3D<REDACTED>%26oauth_version%3D1.0%26recurring%3Dfalse%26time%3D16%253A25-04%253A00

 

The request URL:

https://api.fitbit.com/1/user/-/devices/tracker/25824177/alarms.json?enabled=true&label=STAND%20UP%2...

 

Again the status code was a 201 on the response, but this is the JSON I was getting back from the server:

{

    errors =     (

                {

            errorType = oauth;

            fieldName = "oauth_timestamp";

            message = "oauth_acceptable_timestamps=1426796553-1426797153";

        }

    );

    success = 0;

}

 

The request url that I should have been sending up was this:

https://api.fitbit.com/1/user/-/devices/tracker/25824177/alarms.json

 

^^ So this solved my issue. Removing the parameters.

 

Is there anyway the server API could give a clearer error? Yes the signature would not have matched so that's technically correct, but the root cause was my request url.

 

 

Best Answer
0 Votes