World-Check One API - Get System Id API Call Issue

Unknown

Any reason the query string pari in the url is not in the dataToSign as listed in the postman pre-requisit?

var dataToSign = "(request-target): get " + environment["gateway-url"] +
"caseReferences"+ "\n" +
"host: " + environment["gateway-host"] + "\n" +
"date: " + date;

The string "caseId=xxxxxxxx" is missing in the dataToSign list. Any idea? Thanks.

Mehran.Ahmed Khan

@leon.liang

We see that there is a pattern to the pre-request scripts in the postman collection, APIs such as get systemId , check caseID in which we are deriving the information from case references and case identifiers don't require the query string in the URL to be listed in the dataToSign.

Let me check this with my team and get back to you with more information on this!

Regards,

Mehran Khan

API Technical Consultant

Mehran.Ahmed Khan

Hi @leon.liang ,

We investigated this and the only explanation I can think of is a general reason and knowing how it works, the optional and varied order of query params would have been a possible cause to not to include in the request signing,

For example, requests such as "Get System ID API", we are passing the caseId as part of query Param so there is no data signing in this scenario, whereas in API such as "Get the case template" I can see the "Case Template" being data signed when we are hitting the endpoint directly.

Hope this helps!

Regards,

Mehran Khan

API Technical Consultant

Unknown

Thanks for the help Mehran, really appreciated!

To be honest, it looks more like a flaw to me if not a bug, and I see a number of questions raised by the client asking why that particular API request doesn't get processed, only later on found out the parameter part is included in the datatosign string. Also this can be a security issue when part of the message doesn't get hashed.

Hope this can be properly dealed with, and thanks!