OAuth nonce value

Question

I am working with the FatSecret REST API

Im using the OAuthSimple javascript library to generate the signed url. Here's the code I have -

    params['oauth_timestamp'] = Math.floor(new Date().getTime()/1000);
    params['oauth_nonce'] = '1234';
    params['oauth_version'] = '1.0';

    var paramStr = '';
    for(var key in params){
        paramStr += key+"="+params[key]+"&";
    }    
    paramStr = paramStr.substring(0,paramStr.length-1);

    var oauth = OAuthSimple();
    oauth.setAction('GET');
    var o = oauth.sign(
            {
             path:this.requestURL,
             parameters: paramStr,
             signatures:{
                api_key:this.apiKey,
                shared_secret:this.sharedSecret,
                access_token: this.accessToken,
                access_secret: this.accessSecret
             }
            });
    console.log(o.signed_url);
    return o.signed_url;

params is an associative array containing all the non oauth related parameters for this call. When I use this signed url I get an "invalid/used nonce"

The OAuth Testing Tool uses the same OAuthSimple library and if I put in all the same parameters (including the timestamp) it generates exactly the same url.

The only difference is that the url generated by the testing tool works and gives me the full response from the server. The url generated by my code does't.

I tried various nonce values including sending a MD5 of the timestamp but I get the same error. The reason I'm using 1234 right now is that the testing tool uses 1234 by default and that seems to work.

Any help is appreciated. Thanks in advance.

Answer 1

Updating @Saravanan's answer with something that works on current browsers:

function genNonce() {
    const charset = '0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz-._~'
    const result = [];
    window.crypto.getRandomValues(new Uint8Array(32)).forEach(c =>
        result.push(charset[c % charset.length]));
    return result.join('');
}

console.info(genNonce());

Answer 2

The nonce value as per twitter documentation:

The value for this request was generated by base64 encoding 32 bytes of random data, and stripping out all non-word characters, but any approach which produces a relatively random alphanumeric string should be OK here.

Based on the above notes, I use the following javascript code to generate nonce value each time I send a request:

var nonceLen = 32;
return crypto.randomBytes(Math.ceil(nonceLen * 3 / 4))
    .toString('base64')   // convert to base64 format
    .slice(0, nonceLen)        // return required number of characters
    .replace(/\+/g, '0')  // replace '+' with '0'
    .replace(/\//g, '0'); // replace '/' with '0'

Try this if it works!