danieljoos / aws-sign-web Goto Github PK

it seems npm hasn't consumed the last hotfix because the version was not bumped when the hotfix was merged.
Can we change the version from 1.5.0 to 1.5.1 so it can be in npm? thanks!

When doing a post request with no body, e.g.

axios.post('/someurl')

The generated signature is rejected by AWS (API Gateway in the test I ran). I can workaround the issue by adding an empty object as the second parameter to post.

axios.post('/someurl', {})

In

ws.uri.queryParams is parsed from the URI by

into an object whose values are arrays, and so if ws.request.params is empty, then in

the assumption that ws.uri.queryParams[key] has a sort method is valid.

However, ws.request.params has not undergone any kind of sanitation and can have non-array values, which crashes the above code.

I ran into this problem when attempting to use config.params during a GET request and I have no idea how no one else has run into this! Right now I'm working around this using a custom interceptor in my axios code, which moves config.params into the URI:

client.interceptors.request.use((config) => {
  if (config.params !== undefined) {
    config.url = client.getUri(config);
    config.params = undefined;
  }
  return config;
});

However, I think that to properly address the issue we'd need to either make that signing code handle the non-array case, or sanitize ws.request.params before running extend, by turning its non-array values into arrays.

buildCanonicalRequest doesn't appear to work when query params are specified in the request. For example

signer.sign({
  method: 'GET',
  url: '/someurl',
  params: { myId: 'abc' }
});

This line breaks because ws.uri.queryParams[key] is a string and doesn't have sort(). It looks like this assumes the param values are always arrays. That's true if they came from SimpleQueryParser but normal params (merged with extend in prepare) are just strings/numbers.

I tried working around this by adding my own interceptor to wrap all may params in arrays but that doesn't work because Axios then appends [] to the key names.

Hi,
I am new to browser world so excuse if this sounds naive. I am trying to use this lib on browser side to generate AWS sigV4, stumbled at first block.

I have include the files in html as -

<script src="./crypto-js/index.js"></script>
<script src="./crypto-js/sha256.js"></script>
<script src="./crypto-js/hmac-sha256.js"></script>
<script src="./aws-sign-web/aws-sign-web.js"></script>

This throws multiple errors such as -

sha256.js:19 Uncaught TypeError: Cannot read property 'lib' of undefined
at sha256.js:19
at sha256.js:194
at sha256.js:12
at sha256.js:14

hmac-sha256.js:16 Uncaught TypeError: Cannot read property 'HmacSHA256' of undefined
at hmac-sha256.js:16
at hmac-sha256.js:12
at hmac-sha256.js:14

aws-sign-web.js:19 Uncaught TypeError: Cannot read property 'SHA256' of undefined
at aws-sign-web.js:19
at aws-sign-web.js:21

No clue as to how to solve this. Please help

Nice work Daniel,

I have a suggestion - it would make sense to use the AWS convention for the configuration parameters for the Key and Secret (i.e. accessKeyId and secretAccessKey or use AWSAccessKeyId and AWSSecretAccessKey) as this is what it is in all the AWS documentation.

Then the configuration in the user's Javascript would be:

var config = {
	// AWS Region (default: 'eu-west-1')
	region: 'eu-west-1',
	// AWS service that is called (default: 'execute-api' -- AWS API Gateway)
	service: 'execute-api',
	// AWS IAM credentials, here some temporary credentials with a session token
	accessKeyId: '...',
	secretAccessKey: '...',
	sessionToken: '...'

This would then be consistent with the AWS Response for temporary credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

extractQueryParams in SimpleUrlParser uses decodeURI to decode the keys and values. This is incorrect and doesn't work for symbols which are part of the URL grammar. It should be using decodeURIComponent.

Example:
testParam: 'Cookies & Cream'
->

sample-url?testParam=Cookies%26Cream

->
Decoded queryParams:

{
   testParam: 'Cookies%26Cream'
}

This is causing an invalid signature to be generated.

URLs with percent (%) encoded values get decoded and fail to match signature.

This snippet in SimpleUriParser decodes the path but doesn't encode it initially. This results in any URL-encoded characters to be un-encoded. For example, %20 is changed to a space.

return function (uri) {
parser.href = uri;
return {
      protocol: parser.protocol,
      host: parser.host.replace(/^(.*):((80)|(443))$/, '$1'),
      path: ((parser.pathname.charAt(0) !== '/') ? '/' : '') +
              decodeURIComponent(parser.pathname),
      queryParams: extractQueryParams(parser.search)
      };
};

A solution is to encode the uri parameter, as shown below.

return function (uri) {
parser.href = **encodeURI**(uri);
return {
     protocol: parser.protocol,
     host: parser.host.replace(/^(.*):((80)|(443))$/, '$1'),
     path: ((parser.pathname.charAt(0) !== '/') ? '/' : '') +
          decodeURIComponent(parser.pathname),
     queryParams: extractQueryParams(parser.search)
      };
};

Hi Daniel,
thank for lib, it's awesome ! :)
I try to use it in a personnal project but I have problems about authorization.
Now, aws s3 signature v4 impose new header (X-Amz-Content-Sha256) and signedheaders (x-amz-content-sha256;x-amz-date;x-amz-security-token).
So I include it in your code but it doesn't work. Amazon server reply that my signature doesn't match (isn't good).
Are you still using your library ? does it work ?
Can I send you my code (your lib with my changes) to have your opinion ?
Thank you :)

• Hello there. I'm trying out your library and I ran into this error on the console,

• The context appears to be ...

// excerpt from aws-sign-web.js
            hmac: function (key, input, options) {
                options = extend({hexOutput: true, textInput: true}, options);
                var hmac = CryptoJS.HmacSHA256(input, key, {asBytes: true});    // Line 286
                if (options.hexOutput) {
                    return hmac.toString(CryptoJS.enc.Hex);
                }
                return hmac;
            }

• Potential culprit: I am leaving out the sessionToken. I am not sure if you require that? I have used Signature Version 4 with a Python implementation which did not require this.
• Also, I forgot to mention, I changed my vanilla.html setup to also include core.js, because errors were complaining about CryptoJS undefined in sha256.js

	<script src="js/core.js"></script>
	<script src="js/sha256.js"></script>
	<script src="js/hmac-sha256.js"></script>
	<script src="js/aws-sign-web.js"></script>

Please let me know if I can provide more details.

The signature calculated will not match if a uri segment contains a colon. AWS will encode the colon to %3A, but aws-sign-web will not.

e.g GET https://my-apigateway-app.com/users/us-east-1:deadbeef-dead-beef-dead-beef00000075/items/

AWS will show that the string to encode changed the colon 2nd segment of the path to %3A when calculating the signature.

Hi, how if i want to use your injector in $resource? i'm new to angular and help you can guide