For a deeper look into our World Check One API, look into:

Overview |  Quickstart |  Documentation |  Downloads

question

Upvotes
1 0 0 2

World-Check One API - Get System Id API Call Issue

Any reason the query string pari in the url is not in the dataToSign as listed in the postman pre-requisit?

var dataToSign = "(request-target): get " + environment["gateway-url"] + "caseReferences"+ "\n" + "host: " + environment["gateway-host"] + "\n" + "date: " + date;

The string "caseId=xxxxxxxx" is missing in the dataToSign list. Any idea? Thanks.

world-checkworld-check-onequery-stringurl
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
2.4k 5 5 5

@leon.liang

We see that there is a pattern to the pre-request scripts in the postman collection, APIs such as get systemId , check caseID in which we are deriving the information from case references and case identifiers don't require the query string in the URL to be listed in the dataToSign.

Let me check this with my team and get back to you with more information on this!

Regards,

Mehran Khan

API Technical Consultant

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
2.4k 5 5 5

Hi @leon.liang ,

We investigated this and the only explanation I can think of is a general reason and knowing how it works, the optional and varied order of query params would have been a possible cause to not to include in the request signing,

For example, requests such as "Get System ID API", we are passing the caseId as part of query Param so there is no data signing in this scenario, whereas in API such as "Get the case template" I can see the "Case Template" being data signed when we are hitting the endpoint directly.

Hope this helps!

Regards,

Mehran Khan

API Technical Consultant

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Thanks for the help Mehran, really appreciated!

To be honest, it looks more like a flaw to me if not a bug, and I see a number of questions raised by the client asking why that particular API request doesn't get processed, only later on found out the parameter part is included in the datatosign string. Also this can be a security issue when part of the message doesn't get hashed.

Hope this can be properly dealed with, and thanks!

Click below to post an Idea Post Idea