Hashnest API

Categories Mining Discussions Cloud Mining

kapp 2015-03-26 22:31:25 UTC #1

I tried saving this as a .php file and uploading it to a webhost that supports .php and got nothing. Do you guys mind looking it over for me?

html
head
titlePHP Test*/title*
/head
body
<?php
$secret="daFsnQNdKXXXXXXXXS8ORTZex";
$api="R1zuvCTHXXXXXXXeJbYF8U5DXZ";
$user="saXXXXXXX@ail.com";

$d="currency_markets/order_history";
$nonce = round(microtime(true)100).round(microtime(true)100);
$message= $nonce.$user.$api;
$sig = hash_hmac('sha256', $message, $secret);
$URL="https://www.hashnest.com/api/v1/".$d."?access_key=".$api."&nonce=".$nonce."&signature=".$sig."¤cy_market_id=19&category=sale";
$result = array();
$ch = curl_init($URL);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, "");
$result = json_decode(curl_exec($ch));
curl_close($ch);
print_r(json_decode($result));
$s5sale=$result["0"]->ppc;
?>
/body
/html

paulc010 2015-03-26 22:39:23 UTC #2

Did you activate your API key via email?

Daffy 2015-03-26 22:43:20 UTC #3

Where did you get that code?

bitstoned 2015-03-26 23:04:24 UTC #4

my PHP's a little rusty, but try this:

<?php
error_reporting(E_ALL);
$secret   = "daFsnQNdKXXXXXXXXS8ORTZex";
$api      = "R1zuvCTHXXXXXXXeJbYF8U5DXZ";
$user     = "saXXXXXXX@ail.com";
$d        = "currency_markets/order_history";
$nonce    = round(microtime(true), 100).round(microtime(true), 100);
$message  = $nonce . $user . $api;
$sig      = hash_hmac('sha256', $message, $secret);
$URL      = "https://www.hashnest.com/api/v1/" . $d .
            "?access_key=" . $api .
            "&nonce=" . $nonce .
            "&signature=" . $sig .
            "¤cy_market_id=19&category=sale";
$result   = array();
$ch       = curl_init($URL); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
$result = curl_exec($ch); 
curl_close($ch);
print_r(json_decode($result));

all i've done there is tidy up a bit and put a couple commas between the arguments in your calls to round()
(i also added error_reporting(E_ALL), but depending on your host's configuration, it may not have any effect)

[edit: ~~changed to a GET request as per @Daffy's comments~~; removed redundant json_decode() call]

Daffy 2015-03-26 23:08:19 UTC #5

From what I know of these kinds of API the parameters should not be in the URL but should be in the POSTFIELDS I can't seem to find the API docs right now.

Never mind I found the API docs and it seems to be correct. Now it could be possible that the webserver does not allow requests to external resources but the error messages should indicate that.

Daffy 2015-03-26 23:14:09 UTC #6

$result = json_decode(curl_exec($ch)); 
curl_close($ch);
print_r(json_decode($result));

There are 2 json_decodes there there should only be one.

$result = json_decode(curl_exec($ch)); 
curl_close($ch);
print_r($result);

Daffy 2015-03-26 23:15:10 UTC #7

Well I just found the docs and it needs to be POST. Sorry about that they really don't want to do it the regular way do they.

https://www.hashnest.com/hashnest_api

bitstoned 2015-03-26 23:16:33 UTC #8

that's awfully awkward. it wanted me to create an account in order to read their docs, so i'm flying blind

Daffy 2015-03-26 23:18:03 UTC #9

Yeah you need an account to access the docs.

paulc010 2015-03-26 23:19:52 UTC #10

If a request is non-idempotent then a POST is the way to go.

I'm also wondering if the PECL extension supporting hash_hmac() is installed. White screen is an error. Personally I would check the error log (as I always have error reporting disabled).

EDIT: Tried activating my API key to test it out and....... no email received as of yet.....

bitstoned 2015-03-26 23:21:57 UTC #11

the awkward part is that it's a POST request with sensitive credentials crammed into the query string

paulc010 2015-03-26 23:24:48 UTC #12

Well technically even if the parameters were in the request body they would still be visible if intercepted. In both cases using SSL will encrypt the data sent.

Daffy 2015-03-26 23:26:46 UTC #13

Not really the secret key is not in there and the username is sha256 encoded. So no real harm done. but usually these things are POST vars instead of GET vars.

Daffy 2015-03-26 23:27:19 UTC #14

Quoted from the docs.

For example: To obtain all opened markets URL:

https://www.hashnest.com/api/v1/currency_markets?access_key=PZMhwXRx75mNqGhl430mLUhqODzyhQSf1bAiB4Tf&nonce=1416974538344337&signature=e1e0051e8fe8aa681ca465567567aaff231f56db54d3d3fb7f49cbf17871097e

And the specifics for this API call.

HTTP METHOD: POST
HTTP URL: https://www.hashnest.com/api/v1/currency_markets/order_history
Param:
access_key: (details see the verification method）
nonce: (details see the verification method）
signature: (details see the verification method）
category: (entrust type eg: [sale|purchase])
currency_market_id: (Market ID)

bitstoned 2015-03-27 00:58:04 UTC #15

personally, i consider it bad form for them to assume that since SHA256 is secure today, it will still be secure tomorrow. (that applies infinitely more so to TLS tbh.) additionally, it's quite probable that the API server is full of logs containing those query strings. what i'm driving at is that such a design doesn't necessarily create a warm fuzzy feeling, and better designs are but a stone's throw away

anyway, shrug

good luck with your script, @kken

Daffy 2015-03-27 01:00:15 UTC #16

I agree with you. It's fairly simple to move those to POST vars and be done with it on the backend. The Antpool API uses POST vars.

paulc010 2015-03-27 09:35:41 UTC #17

Getting anything completely secure while also functional is a challenge. With Hashnest you can also lock down API calls from a set of IP addresses so it's reasonably secure to be honest. As with all things - if the risk outweighs the benefits, then it's best to leave it disabled.

kapp 2015-03-27 13:17:53 UTC #18

Thanks everyone for all your help! The API might be down right now but I just wanted to see if I could get the HashNest market data to display on a webpage so I could use the (live) data in google sheets.

I'm using this free webhost that says they support php and curl - http://www.000webhost.com/

kapp 2015-03-27 13:19:20 UTC #19

I just made a dummy HashNest account to use for the API since I just want the market data and don't need it for trading or anything...

bitstoned 2015-03-27 15:46:22 UTC #20

If you want a little more flexibility, control, and privacy: you may like http://www.easyphp.org/ (for Windows)