1

I'm working on a Delphi REST client for a public API that requires an HMAC256/Base64 signed string to be added to the headers of the request to authenticate. I've spent hours trying to figure out why it's not working, so I compared the raw request from my Delphi client to that of a working C# library (using Wireshark).

It turns out my request matches perfectly the request generated by the working C# library, except that Delphi's REST client is URL-encoding the values added to the request's header, therefore invalidating the carefully crafted signature.

This is how I'm adding the signature string to the header:

RESTRequest1.Params.AddHeader('SIGNATURE', FSignature);

The signature string may have slashes, plus signs, and/or equal signs that are being URL-encoded when they shouldn't. For example when the value of the signature string is...

FSignature = '8A1BgACL9kB6P/kXuPdm99s05whfkrOUnEziEtU+0OY=';

...then the request should should output raw headers like...

GET /resource HTTP/1.1
User-Agent: Embarcadero URI Client/1.0
Connection: Keep-Alive
<snip>
SIGNATURE: 8A1BgACL9kB6P/kXuPdm99s05whfkrOUnEziEtU+0OY=
<snip>

...but instead Wireshark shows this as the real value being sent...

SIGNATURE: 8A1BgACL9kB6P%2FkXuPdm99s05whfkrOUnEziEtU%2B0OY%3D

Is there a way to prevent the URL-encoding of values when using AddHeader? Or maybe another way to add raw headers to a TRESTClient request?

PS: I already tried both TRESTRequest.Params.AddHeader and TRESTClient.AddParameter with TRESTRequestParameterKind.pkHTTPHEADER as the Kind parameter. Both resulted in URL-encoded values.

PS2: Using Delphi RAD Studio 10.3.

Improve this question
2
  • Did you try to set the Options property of the parameter to include ptDoNotEncode? Commented Apr 22, 2021 at 6:16
  • @R.Hoek Yes! that's what was missing. I couldn't find a way to add poDoNotEncode to TRESTRequest.Params.AddHeader but I was able to add it as a third parameter in TRESTClient.AddParameter. I'll gladly mark this an the answer if you post it below. Thanks! Commented Apr 22, 2021 at 6:27

1 Answer 1

Reset to default
2

You should include poDoNotEncode in the Options property of the TRESTRequestParameter.

This can be done using:

RESTClient1.AddParameter('SIGNATURE', FSignature, pkHTTPHEADER, [poDoNotEncode]);

or by using:

RESTClient1.Params.AddHeader('SIGNATURE', FSignature).Options := [poDoNotEncode];
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.