Can't Login with Rest API

[zerodarkzone]

Hi I'm trying to use the rest_api provided in this library, but I can't get the login to work.
Right now, the SOAP api works fine and I can use the REST API through Postman without problems.

If I try the following code, everything works.

conf = {
    "auth_type": "token",
    "account": NS_ACCOUNT,
    "consumer_key": NS_CONSUMER_KEY,
    "consumer_secret": NS_CONSUMER_SECRET,
    "token_id": NS_TOKEN_KEY,
    "token_secret": NS_TOKEN_SECRET
}
ns = netsuite.NetSuite(config=conf, version="2020.2.0")
ns.get("customer", internalId=123)

However, if I do the following:

await ns.rest_api.get("/record/v1/customer/123")

I get the following error:

NetsuiteAPIRequestError: HTTP401 - {"type":"https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2","title":"Unauthorized","status":401,"o:errorDetails":[{"detail":"Invalid login attempt. For more details, see the Login Audit Trail in the NetSuite UI at Setup > Users/Roles > User Management > View Login Audit Trail.","o:errorCode":"INVALID_LOGIN"}]}

Am I doing something wrong?

[jacobsvante]

Hi @zerodarkzone,

This error is because your user doesn't have the right permissions for the REST API. Please consult the NetSuite Help Center. They have good resources on setting up features, roles and permissions correctly for the REST API.

[zerodarkzone]

Hi @zerodarkzone,

This error is because your user doesn't have the right permissions for the REST API. Please consult the NetSuite Help Center. They have good resources on setting up features, roles and permissions correctly for the REST API.

Hi, as I said, I can use the rest API with Postman with the same credentials. ¿Does this library needs Oauth 2.0 to work?, My user is an administrator and have the right permissions.

[jacobsvante]

The library only supports OAuth 1 (what NetSuite calls TBA or Token Based Auth)

[jacobsvante]

Try upgrading to 0.7 that was released today and see if that helps.

[zerodarkzone]

Hi, I thing the problem is the signature method. The library is using "HMAC-SHA1" and it appears it only works with "HMAC-SHA256"

Changing the _make_auth method to the following fixed the problem:

    def _make_auth(self):
        from authlib.oauth1.rfc5849.client_auth import ClientAuth
        from authlib.oauth1.rfc5849.signature import generate_signature_base_string
        from oauthlib.oauth1.rfc5849.signature import sign_hmac_sha256

        def sign_hmac_sha256_with_client(client, request):
            """Sign a HMAC-SHA1 signature."""
            base_string = generate_signature_base_string(request)
            return sign_hmac_sha256(
                base_string, client.client_secret, client.token_secret)

        ClientAuth.register_signature_method("HMAC-SHA256", sign_hmac_sha256_with_client)
        auth = self._config.auth
        return OAuth1Auth(
            client_id=auth.consumer_key,
            client_secret=auth.consumer_secret,
            token=auth.token_id,
            token_secret=auth.token_secret,
            realm=self._config.account,
            force_include_body=True,
            signature_method="HMAC-SHA256",
        )

It would be great if you could add the signature_method as a parameter and implement the hmac_sha56 in a clean way.

[jacobsvante]

HMAC-SHA1 works for me on 2021.1. Have you disabled it somehow or are you on 2021.2 beta?

[jacobsvante]

Thanks for the code for HMAC-SHA256. I’ll see about adding it later.

[jacobsvante]

Ah! I think I found the reason for why it's working for me but not for you: https://docs.oracle.com/cloud/latest/netsuitecs_gs/NSATH/NSATH.pdf

Specifications for Signature Construction for the TBA Authorization Flow
[...]
Warning: In 2021.1 no new solutions using HMAC-SHA1 signature method can be created. As of 2021.2, HMAC-SHA1 signature method will not be supported. You must update your solutions to use HMAC-SHA256 signature method before your account is upgraded to 2021.2.

So I'll look into moving to HMAC-SHA256 as the default.

[jacobsvante]

@zerodarkzone This has now been fixed. HMAC-SHA256 is now the default signing method for REST API and Restlet.

[jacobsvante]

Release 0.8.0 was just released with this fix.

[zerodarkzone]

Hi, thanks for the fix.