Authentication

const crypto = require('crypto')
const request = require('request-promise')

const makeRequest = (
  apiKey,
  apiSecret,
  passphrase,
  host,
  route,
  method,
  body
) => {
  // CREATE SIGNATURE
  const timestamp = Math.round(Date.now() / 1000)
  const payload = timestamp + method + route + JSON.stringify(body)
  const decodedSecret = Buffer.from(apiSecret, 'base64')
  const hmac = crypto.createHmac('sha256', decodedSecret)
  // Don't forget to base 64 encode your digest
  const signedPayload = hmac.update(payload).digest('base64')

  // SET HEADERS
  const headers = {
    'X-NDAX-API-KEY': apiKey,
    'X-NDAX-SIGNED': signedPayload,
    'X-NDAX-TIMESTAMP': timestamp,
    'X-NDAX-PASSPHRASE': passphrase
  }

  const derivedMethod = {
    POST: 'post',
    PUT: 'put',
    GET: 'get'
  }[method]

  const options = {
    headers,
    body,
    json: true
  }

  return request[derivedMethod](`https://${host}${route}`, options)
}

makeRequest function above makes HTTP requests to a server by usingrequest-promise module to make the actual HTTP requests, and the crypto module to create an HMAC (hash-based message authentication code) to sign the request payload.

The HMAC is used to authenticate the request by proving that it was sent by someone in possession of the API secret. The server can verify the authenticity of the request by recomputing the HMAC using the API secret it has on file and comparing it to the one provided in the request headers. If the two HMACs match, the server can trust that the request was sent by someone in possession of the API secret, and therefore authenticated.

The makeRequest function takes several arguments:

• apiKey: This is the API key that identifies the client making the request.

• apiSecret: This is the secret used to create the HMAC. It is base64-encoded in the code, but it needs to be decoded before it can be used to create the HMAC.

• passphrase: This is another form of authentication that the server may use to verify the authenticity of the request.

• host: The hostname of the server to which the request should be sent.

• route: The route on the server to which the request should be sent (e.g., '/orders').

• method: The HTTP method of the request (e.g., 'POST', 'GET').

• body: The request payload.

The function first computes the HMAC by concatenating the current timestamp, the HTTP method, the route, and the request payload, and then using the crypto.createHmac method to create an HMAC of that concatenated string using the decoded API secret as the key. It then sets the appropriate headers for the request, including the API key, the signed payload (i.e., the HMAC), the timestamp, and the passphrase. Finally, it makes the request using the request-promise module and returns the server's response.

Example Headers

{
  "X-NDAX-API-KEY": "h2yFu1uijCDEqkbdop4GAF",
  "X-NDAX-SIGNED": "PFMlg+bMFVjjAiGPLR/zJCStmiiOIeyz5NIOZEmpfH0=",
  "X-NDAX-TIMESTAMP": 1550175822,
  "X-NDAX-PASSPHRASE": "passphrase"
}

NDAX Uses HMAC SHA-256 verification to ensure the authenticity of every API request.

To Authenticate with us, you will need to set the following headers:

"X-NDAX-TIMESTAMP" must be the number of seconds since the Unix Epoch.

To sign your request:

1. Concatenate timestamp + method + route + request body

   Example: 1549468233POST/orders{"client_order_id":"abcdefg","instrument_code":"COSP:BTC/e₹","market_code":"DNSE","order_type":"limit","price":"3780","quantity":"10","side":"buy"}

2. Generate an HMAC digest using your private key (using HMAC SHA-256).

   Example: Private Key = 6d58e38275388977aa8ef2091d5d4814be9db7a9b345d8c328ef5a31bfd666a0

3. Encode the HMAC digest in Base64.

   NmQ1OGUzODI3NTM4ODk3N2FhOGVmMjA5MWQ1ZDQ4MTRiZTlkYjdhOWIzNDVkOGMzMjhlZjVhMzFiZmQ2NjZhMA==