Any Good Resources using the Crypto library?

Brandon Hassler

In my endeavor to pull virtually every retail API that exists, I've learned A LOT about how API's function. Thanks to Xano, I've finally had the building blocks to learn more about how security works with APIs, such as generating tokens for calls, how Base64 encoding works, etc.

What I'm up against now with some of the biggest APIs is generating signatures using SHA-256. I've been trying to learn everything I can about them but what would be most valuable is to see examples of them being executed on Xano. Does anything like this exist? I've seen the documenation for Lambdas but right now what is available seems very surface.

I'd love to see an example of how something is using, for example, the Crypto library just to get a better understanding how it functions.

Does anything like this exist?

Ray Deck

There are articles on the interwebs about using the node crypto library for various api tasks. Xano just surfaces that library in the lambda. So a more straightforward Google search might profit.

Unknown

Is there any reason you are looking to implement this via Lambda instead of the no-code way using the security functions or security filters in Xano?

In my personal experience I was able to implement a some of the most commonly found signature generation using this method and I find the docs articles and videos from Xano to be quite helpful in explaining these features and how to use them.

For example, to generate a SHA256 encrypted signature, you can use the HMAC-SHA256 filter (https://docs.xano.com/working-with-data/data-type-filters/crypto-filters).

Sean Montgomery

Agreed. The Xano filters are pretty robust. Digital signatures, raw encryption, jws, and jwe tokens. That should cover a lot of use cases.

Brandon Hassler

I would absolutely prefer to implement this the "nocode" way by controlling all of the building blocks. The reason I brought up Lambda is it seems with AWS specifically there is a lot of documentation on the web involving scripts that you can essentially dump into your code environment and the heavy lifting is done. Granted these articles are written by developers who are writing code from scratch so its likely still easier to just use the built-in building blocks on Xano.

In my specific case, I'm trying to figure out how to implement a signature creation for Amazon's Product API.
POST / HTTP/1.1
host: webservices.amazon.com
content-type: application/json; charset=utf-8
content-encoding: amz-1.0
x-amz-date: 20160925T120000Z
x-amz-target: com.amazon.paapi5.v1.ProductAdvertisingAPIv1.SearchItems
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=&5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7;That last bolded part of the Authorization header is what I need to generate, and unlike other signatures I've done where I'm simply mashing a couple inputs together in a single step (such as Base64 encoding), that signature is the result of several steps.

Here's where my problem lies, and it's ultimately why I'd love to see other complex implementations of signatures being created using Xano:

Amazon's documentation of creating this signature seems very thorough and they break down the 4 major steps (really it's 3 steps because Step 4 is just slapping the signature into your request header)[image.png]Amazon isn't writing this documentation with Xano in mind, they are writing this for developers who are basically writing code from scratch. So as someone who is new to this type of hashing/encoding, I don't know how much of these steps are already "solved" by Xano's easy-to-use filters and what would be me trying to reinvent the wheel. Does that make sense  & ? Hence why I feel like if I saw some examples either through step by step documentation or even a video example of this style of signature creation (even if it had nothing to do with Amazon) I feel like that would be enough for me to look back at Amazon's documentation and say "ah ha! THAT is the part that Xano's filter already takes care of."

Many of the small "ingredients" of this AWS4-HMAC-SHA256 signature I either have or know how to generate such as timestamps (thanks Xano's awesome documentation on this). I just need to visualize that final step of piecing it all together!