danieljoos / aws-sign-web Goto Github PK
View Code? Open in Web Editor NEWPlain JavaScript AWS Signature v4 for use within Web Browsers
License: MIT License
Plain JavaScript AWS Signature v4 for use within Web Browsers
License: MIT License
it seems npm hasn't consumed the last hotfix because the version was not bumped when the hotfix was merged.
Can we change the version from 1.5.0 to 1.5.1 so it can be in npm? thanks!
When doing a post request with no body, e.g.
axios.post('/someurl')
The generated signature is rejected by AWS (API Gateway in the test I ran). I can workaround the issue by adding an empty object as the second parameter to post.
axios.post('/someurl', {})
In
Lines 130 to 132 in 4388cd6
ws.uri.queryParams
is parsed from the URI by
Lines 249 to 262 in 4388cd6
into an object whose values are arrays, and so if ws.request.params
is empty, then in
Lines 146 to 149 in 4388cd6
the assumption that ws.uri.queryParams[key]
has a sort
method is valid.
However, ws.request.params
has not undergone any kind of sanitation and can have non-array values, which crashes the above code.
I ran into this problem when attempting to use config.params
during a GET request and I have no idea how no one else has run into this! Right now I'm working around this using a custom interceptor in my axios code, which moves config.params
into the URI:
client.interceptors.request.use((config) => {
if (config.params !== undefined) {
config.url = client.getUri(config);
config.params = undefined;
}
return config;
});
However, I think that to properly address the issue we'd need to either make that signing code handle the non-array case, or sanitize ws.request.params
before running extend, by turning its non-array values into arrays.
buildCanonicalRequest
doesn't appear to work when query params are specified in the request. For example
signer.sign({
method: 'GET',
url: '/someurl',
params: { myId: 'abc' }
});
This line breaks because ws.uri.queryParams[key]
is a string and doesn't have sort(). It looks like this assumes the param values are always arrays. That's true if they came from SimpleQueryParser but normal params (merged with extend in prepare) are just strings/numbers.
I tried working around this by adding my own interceptor to wrap all may params in arrays but that doesn't work because Axios then appends []
to the key names.
Hi,
I am new to browser world so excuse if this sounds naive. I am trying to use this lib on browser side to generate AWS sigV4, stumbled at first block.
I have include the files in html as -
<script src="./crypto-js/index.js"></script>
<script src="./crypto-js/sha256.js"></script>
<script src="./crypto-js/hmac-sha256.js"></script>
<script src="./aws-sign-web/aws-sign-web.js"></script>
This throws multiple errors such as -
sha256.js:19 Uncaught TypeError: Cannot read property 'lib' of undefined
at sha256.js:19
at sha256.js:194
at sha256.js:12
at sha256.js:14
hmac-sha256.js:16 Uncaught TypeError: Cannot read property 'HmacSHA256' of undefined
at hmac-sha256.js:16
at hmac-sha256.js:12
at hmac-sha256.js:14
aws-sign-web.js:19 Uncaught TypeError: Cannot read property 'SHA256' of undefined
at aws-sign-web.js:19
at aws-sign-web.js:21
No clue as to how to solve this. Please help
Nice work Daniel,
I have a suggestion - it would make sense to use the AWS convention for the configuration parameters for the Key and Secret (i.e. accessKeyId and secretAccessKey or use AWSAccessKeyId and AWSSecretAccessKey) as this is what it is in all the AWS documentation.
Then the configuration in the user's Javascript would be:
var config = {
// AWS Region (default: 'eu-west-1')
region: 'eu-west-1',
// AWS service that is called (default: 'execute-api' -- AWS API Gateway)
service: 'execute-api',
// AWS IAM credentials, here some temporary credentials with a session token
accessKeyId: '...',
secretAccessKey: '...',
sessionToken: '...'
This would then be consistent with the AWS Response for temporary credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
extractQueryParams
in SimpleUrlParser
uses decodeURI
to decode the keys and values. This is incorrect and doesn't work for symbols which are part of the URL grammar. It should be using decodeURIComponent
.
Example:
testParam: 'Cookies & Cream'
->
sample-url?testParam=Cookies%26Cream
->
Decoded queryParams:
{
testParam: 'Cookies%26Cream'
}
This is causing an invalid signature to be generated.
URLs with percent (%) encoded values get decoded and fail to match signature.
This snippet in SimpleUriParser
decodes the path but doesn't encode it initially. This results in any URL-encoded characters to be un-encoded. For example, %20 is changed to a space.
return function (uri) {
parser.href = uri;
return {
protocol: parser.protocol,
host: parser.host.replace(/^(.*):((80)|(443))$/, '$1'),
path: ((parser.pathname.charAt(0) !== '/') ? '/' : '') +
decodeURIComponent(parser.pathname),
queryParams: extractQueryParams(parser.search)
};
};
A solution is to encode the uri parameter, as shown below.
return function (uri) {
parser.href = **encodeURI**(uri);
return {
protocol: parser.protocol,
host: parser.host.replace(/^(.*):((80)|(443))$/, '$1'),
path: ((parser.pathname.charAt(0) !== '/') ? '/' : '') +
decodeURIComponent(parser.pathname),
queryParams: extractQueryParams(parser.search)
};
};
Hi Daniel,
thank for lib, it's awesome ! :)
I try to use it in a personnal project but I have problems about authorization.
Now, aws s3 signature v4 impose new header (X-Amz-Content-Sha256) and signedheaders (x-amz-content-sha256;x-amz-date;x-amz-security-token).
So I include it in your code but it doesn't work. Amazon server reply that my signature doesn't match (isn't good).
Are you still using your library ? does it work ?
Can I send you my code (your lib with my changes) to have your opinion ?
Thank you :)
// excerpt from aws-sign-web.js
hmac: function (key, input, options) {
options = extend({hexOutput: true, textInput: true}, options);
var hmac = CryptoJS.HmacSHA256(input, key, {asBytes: true}); // Line 286
if (options.hexOutput) {
return hmac.toString(CryptoJS.enc.Hex);
}
return hmac;
}
sessionToken
. I am not sure if you require that? I have used Signature Version 4 with a Python implementation which did not require this.vanilla.html
setup to also include core.js
, because errors were complaining about CryptoJS
undefined in sha256.js
<script src="js/core.js"></script>
<script src="js/sha256.js"></script>
<script src="js/hmac-sha256.js"></script>
<script src="js/aws-sign-web.js"></script>
Please let me know if I can provide more details.
The signature calculated will not match if a uri segment contains a colon. AWS will encode the colon to %3A, but aws-sign-web will not.
e.g GET https://my-apigateway-app.com/users/us-east-1:deadbeef-dead-beef-dead-beef00000075/items/
AWS will show that the string to encode changed the colon 2nd segment of the path to %3A when calculating the signature.
Hi, how if i want to use your injector in $resource? i'm new to angular and help you can guide
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.