Pocket API Authorization: Forbidden
I am testing RoR by building a Rails application with Pocket API and I have to authorize a user. For HTTP requests, I am using the https://github.com/rest-client/rest-client library.
First step, getting the request token works fine:
require 'rest_client'
response = RestClient.post 'https://getpocket.com/v3/oauth/request', :consumer_key => @consumer_key, :redirect_uri => @redirect_uri
@code = response.split("=")[1]
But in the second step I get the Bad Request error, which is to get an access token using the request token I got in the previous step:
access_token = RestClient.post 'https://getpocket.com/v3/oauth/authorize', :consumer_key => @consumer_key, :code => @code
400 Bad Request is what I get on the Ruby application error screen. I have also tried the same request with the cURL and POSTMan Chrome extension and the status code I get is the following: 403 Forbidden. The X-Error code I receive is 158, which translates into an X-Error message "User rejects code". on the Pocket API docs: http://getpocket.com/developer/docs/authentication .
Since I have tried several different channels to validate this request and fail each time, I guess the problem is not with the parsing, but that I might be missing an important detail or step (maybe the HTTP request headers?), Thanks for your help in advance!
source to share
It turns out that I (or we) are missing important details:
Whenever you validate your Pocket API request in POSTMan or elsewhere, we naturally skip the process of visiting the authorization URL, which is in the form:
https://getpocket.com/auth/authorize?request_token=YOUR_REQUEST_TOKEN&redirect_uri=YOUR_REDIRECT_URI
Now, even if you may have allowed your app to access your account before, on every call, the Pocket API does not activate the request token before that URL is visited. Only then is your request token activated and can be used for the second stage of authentication. After that, it works great.
As a side note for anyone using the Pocket API in Ruby on Rails, there is a nice wrapper stone for it: https://github.com/turadg/pocket-ruby
source to share
I can confirm that you are indeed missing the HTTP headers, which will cause Pocket Server to reject the submitted request you want to send.
There are several ways to pass headers: sometimes they are passed via codes / tokens associated with a server request (which does not seem to be the case here). You need to use the Authorization header according to your OAuth execution with your initial request.
For some in-depth reading, go here .
I might also suggest trying the OAuth2 gem , which does most of the requests for you - this will probably simplify what you are doing quite a bit !!
source to share