I'm trying to write a nice auth helper for kraken. I want it to be as automatic as possible, so it needs to:
- add a nonce (
time.time()*1000) to the POST body - calculate a signature over the POST body
- put the signature into the headers
I wrote the obvious code based on this answer:
class KrakenAuth(AuthBase):
"""a requests-module-compatible auth module for kraken.com"""
def __init__(self, key, secret):
self.api_key = key
self.secret_key = secret
def __call__(self, request):
#print("Auth got a %r" % type(request))
nonce = int(1000*time.time())
request.data = getattr(request, 'data', {})
request.data['nonce'] = nonce
request.prepare()
message = request.path_url + hashlib.sha256(str(nonce) + request.body).digest()
hmac_key = base64.b64decode(self.secret_key)
signature = hmac.new(hmac_key, message, hashlib.sha512).digest()
signature = base64.b64encode(signature)
request.headers.update({
'API-Key': self.api_key,
'API-Sign': signature
})
return request
and them I'm calling it (from a wrapper method on another object) like:
def _request(self, method, url, **kwargs):
if not self._auth:
self._auth = KrakenAuth(key, secret)
if 'auth' not in kwargs:
kwargs['auth'] = self._auth
return self._session.request(method, URL + url, **kwargs)
...but it doesn't work. The commented-out print() statement shows that it's getting a PreparedRequest object not a Request object, and thus the call to request.prepare() is a call to PreparedRequest.prepare does nothing useful because there's no request.data because it's already been converted into a body attribute.
You can't access the
dataattribute of the request, because the authentication object is applied to arequests.PreparedRequest()instance, which has no.dataattribute.The normal flow for a
Session.request()call (used by all therequest.<method>andsession.<method>calls), is as follows:Request()instance is created with all the same arguments as the original callSession.prepare_request(), which merges in session-stored base values with the arguments of the original call first, thenPreparedRequest()instance is createdPreparedRequest.prepare()method is called on that prepared request instance, passing in the merged data from theRequestinstance and the session.prepare()method calls the variousself.prepare_*methods, includingPreparedRequest.prepare_auth().PreparedRequest.prepare_auth()callsauth(self)to give the authentication object a chance to attach information to the request.Unfortunately for you, at no point during this flow will the original
datamapping be available to anyone else butPreparedRequest.prepare()andPreparedRequest.prepare_body(), and in those methods the mapping is a local variable. You can't access it from the authentication object.Your options are then:
To decode the body again, and call
prepare_body()with the updated mapping.To not use an authentication object, but use the other path from my answer; to explicitly create a prepared request and manipulate
datafirst.To play merry hell with the Python stack and extract locals from the
prepare()method that is two frames up. I really can't recommend this path.To keep the authentication method encapsulated nicely, I'd go with decoding / re-encoding; the latter is simple enough by reusing
PreparedRequest.prepare_body():