Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid nonce when reusing keys between applications #75

Open
pauljherrera opened this issue Dec 19, 2017 · 13 comments
Open

Invalid nonce when reusing keys between applications #75

pauljherrera opened this issue Dec 19, 2017 · 13 comments
Labels

Comments

@pauljherrera
Copy link

Versions

OS:       Windows 10
Python:   3.6.1
krakenex:  2.0.0

What are you trying to achieve?

Retrieving account balance.

# code sample
import krakenex
api = krakenex.API(key=key, secret=secret)
api.query_private('Balance')

What do you expect to happen?

Get a valid response.

What happens instead?

Nonce error.

# error message
{'error': ['EAPI:Invalid nonce']}
@veox
Copy link
Owner

veox commented Dec 20, 2017

Does the same happen if you load the key from a file (using load_key())?

Are you sure the key/secret are valid? Did you previously use them, especially with a different library?

@pauljherrera
Copy link
Author

I tested using the load_keys() method and I received the same error.

I also tested the keys introducing them into my coinigy.com account and they worked just fine.

The public queries also work properly. The problem is with the private calls.

@veox
Copy link
Owner

veox commented Dec 22, 2017

Did you use the same key/secret pair when trying both Coinigy and krakenex?

The former may be using a different nonce scheme - krakenex uses epoch time, multiplied by a 1000 (i.e. to milliseconds).

Have you tried a wholly new key/secret?

@pauljherrera
Copy link
Author

pauljherrera commented Dec 26, 2017

Yes, I used the same key/secret pair in Coinigy and Krakenex. They work with Coinigy, but not with krakenex.

As I am trying to use krakenex for a Hedge Fund account, setting new API keys is a complex process as we use dozens and dozens of API keys. It´s simpler for me to learn how to do all the authentication process by myself and writting my own wrapper than asking for new API keys.

Definitely it's a weird behavior, especially if krakenex works with other API keys and Coinigy works with my API keys. If I make it work, I'll notify you.

@pauljherrera
Copy link
Author

Multiplying time.time() by 1000000 instead of 1000 fixed the problem for my key/secret pair.

@FergusClare
Copy link

I had the same problem described by @pauljherrera and followed his suggested approach. After doing this, I'm able to retrieve balance info.

Kraken recently refactored their site and it's possible they are requiring a larger nonce # for new API users. I had never used my API for any private requests until this. Thanks @pauljherrera !

@jsgv
Copy link

jsgv commented Dec 30, 2017

I tried the same suggestion, but it does not make a difference for me. Same error: {'error': ['EAPI:Invalid nonce']}
Also changed the Nonce Window in the API settings.
Not sure if this is an issue with only Kraken. Keep getting 500s (504, 520) every so often.

@FergusClare
Copy link

@jsgv I failed to include one important piece of information in my prior comment. I updated the krakenex _nonce() to use int(datetime.utcnow().timestamp()*1000000). This also means you need to add the from datetime import datetime statement to the top of the krakenex API file.

I did this because the Kraken servers use UTC time and I believe the nonce errors may be the result of a millisecond value being sent which is lower than the server millisecond nonce. Using UTC along with the 1000000 works consistently now.

Try these updates and let us know if it solves your problem.

@mclean25
Copy link

mclean25 commented Dec 31, 2017

@FergusClare is this still working for you? I'm still getting the error with your recommended change.

Edit: I created a new key pair and everything works now.

@veox
Copy link
Owner

veox commented Jan 2, 2018

The nonce that's sent with a request has nothing to do with time. It's a counter. One might just as well use 0, 1, 2, 3... (starting off with a new API key).


Multiplying time.time() by 1000000 instead of 1000 fixed the problem for my key/secret pair.

This seems to confirm the earlier guess of Coinigy using a different numbering scheme.

Reusing API keys between services is not a good idea in general - precisely for the reason that you're going to get bugs like this one; not getting deeper on security implications.

Therefre closing as "wontfix".


If you'd like to discuss changing the _nonce() to return a value extracted from an "aware" datetime object, please open a new issue.

@veox veox closed this as completed Jan 2, 2018
@veox veox changed the title Invalid nonce Invalid nonce when reusing key between machines Jan 3, 2018
@veox veox changed the title Invalid nonce when reusing key between machines Invalid nonce when reusing keys between applications Jan 3, 2018
@veox
Copy link
Owner

veox commented Jan 3, 2018

Actually - sorry! - reopening with an edited, more verbose title; so that there's a clear indication of an unsupported use pattern.

The issue would likely be brought up again otherwise.

@veox veox reopened this Jan 3, 2018
@pietrosperoni
Copy link

I had the same problem.
I was not reusing the api between different application but between different computers using the same application. I suspect the problem is that different computer might have their internal clock slightly off of some milliseconds. And when you use the time.time() to define the nonce this might create a problem. Multiplying by a higher number works, but for me generally worked only one time. What I needed to do is simply to wait for a few minutes and never run the code in the two computers at the same time. I suspect this could be fixed by taking at the beginning the timestamp from Kraken and using that to define what is the difference between the local timestamp and the kraken timestamp and adding this delta to the local timestamp when defining the nonce.

@veox
Copy link
Owner

veox commented Apr 30, 2018

@pietrosperoni That seems to me like an overly-complicated way of dealing with unsynced time, in a scenario where keys are still being reused. (I find this inappropriate from a security perspective also.)

What can be done is _nonce() be renamed to nonce(), basically acknowledging the fact that people want to use their own "noncing" schemes. People can then derive from the class (or replace the function's implementation) to their heart's content. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants