Search code examples
javaandroidsdkgigya

Gigya - socialize.shortenURL - Android

I am trying to make use of socialize.shortenURL from Gigya's Android SDK (ver: 3.3.0).

Here's an example of what I'm trying to do:

GSObject params = new GSObject();
params.put("url", url);
GSAPI.getInstance().sendRequest("socialize.shortenURL", 
    params, 
    new GSResponseListener() {
        @Override
        public void onGSResponse(String s, GSResponse r, Object o) {
            // Do something with the returned url...
        }
    }, 
    null);

The problem is that I'm always getting the following response from Gigya:

{
    "callId": "XXXXXXXXXXXXXXXXXX",
    "errorCode": 400002,
    "errorDetails": "Missing required parameter: No secret or signature were provided. Request could not be verified.",
    "errorMessage": "Missing required parameter",
    "statusCode": 400,
    "statusReason": "Bad Request",
    "time": "XXXXXXXXXXXXXXXXXX"
}

My question is: Do I really need to make "manually" the signature for this request?

I really want to avoid the use of the secret key on Android clients because of security purposes.

I'm doing similar requests against another endpoints listed in the REST api without any problems and without having to use my secret key (I understand that the SDK is making the signature for myself, I just do not understand why this is not happening on socialize.shortenURL)

Solution

  • There are some Gigya REST API calls which are only available from a server-side context; socialize.shortenURL is one of them. This means you can not invoke the REST API endpoint through any of the client side SDKs (Android / iOS / etc.) directly or you will experience the error demonstrated in your question.

    You should not attempt to perform the signing of a request or any operation that requires including your Gigya partner secret inside your Android application, as this is not secure and could unintentionally expose your partner secret key.

    For REST endpoints like this one, Gigya typically recommends that you proxy the REST API call through a server implementation instead. This server-side implementation would be invoked through your mobile application, invoke the REST endpoint directly in the server-side and then proxy the information back to your mobile application.