So I'm trying to make a SPA that uses Magento 1.9.2.2 as its back office. To do this, I would like to use its REST API. And of course, it forces you to OAuth with Magento first. I have tried multiple ways to OAuth with it on the client, my own way which works fine with any of the popular OAuth1.0a services like Twitter and LinkedIn, I've also tried using this https://github.com/ddo/oauth-1.0a which also works with things that don't constantly break, cough magento cough. The issue I have is that I get back a 401 status saying signature invalid. This is the gist of it using the module:
var oauth = OAuth({
consumer: {
public: 'a604a470aaff57d6063800aef713a12a',
secret: 'ecdbb5cb43c9299ab3372ad973792d47'
},
signature_method: 'HMAC-SHA1'
});
var reqData = {
url: '/oauth/initiate',
method: 'POST',
data: {
oauth_callback: 'https://172.22.22.24/oauth/authorize'
}
};
var authData = oauth.authorize(reqData);
$.ajax({
url: reqData.url,
type: reqData.method,
data: authData,
success: function(data){
console.log(data);
}
});
So if I were to reconfigure this for any other OAuth1.0a service, it works fine. Wh would it be that magento does not? Additionally, I have gone through all the Admin configuration for Authing with REST
Best Answer
It is always recommended to use SSL, even along with OAuth, otherwise sensitive data can be intercepted by someone (in your case customer or order details). OAuth 1.0a at most can guarantee that data was not modified by man-in-the-middle, but has no data encryption mechanisms and thus leaves the payload readable by anyone.
At the same time, when SSL is enabled, there is no benefits in using signatures. So in your case it should be absolutely acceptable to use PLAINTEXT signature method with enabled SSL (in your example you use https, so you seem to have it already enabled). This will even work a little bit faster since there is no need to calculate and verify signature on each request.