jasonsims / aws-cloudfront-sign Goto Github PK

Sometimes my app, which uses 'aws-cloudfront-sign' to generate signed urls crash with the following log:
throw message;
^
Error: expireTime must be after the current time
at assert (/sails/node_modules/aws-cloudfront-sign/lib/CannedPolicy.js:60:11)
at CannedPolicy._validate (/sails/node_modules/aws-cloudfront-sign/lib/CannedPolicy.js:48:3)
at CannedPolicy.toJSON (/sails/node_modules/aws-cloudfront-sign/lib/CannedPolicy.js:19:8)
at Object.getSignedUrl (/sails/node_modules/aws-cloudfront-sign/lib/cloudfrontUtil.js:30:22)
at signedUrlForOrder (/sails/api/controllers/AppController.js:34:19)
at /sails/api/controllers/AppController.js:228:56
at /sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/collection/query.js:164:5
at Cursor.nextObject (/sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/cursor.js:753:5)
at commandHandler (/sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/cursor.js:727:14)
at /sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/db.js:1874:9
at Server.Base._callHandler (/sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/connection/base.js:453:41)
at /sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/connection/server.js:481:18
at MongoReply.parseBody (/sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5)
at null. (/sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/connection/server.js:439:20)
at emit (events.js:95:17)
at null. (/sails/node_modules/sails-mongo/node_modules/mongodb/lib/mongodb/connection/connection_pool.js:201:13)
at emit (events.js:98:17)

But this is happening only sometimes (very very rarely), most of the times it is working fine.
my options look like this:
var signingParams = {
keypairId: ,
privateKeyPath: ,
expireTime: (new Date().getTime()) + 86400000
}

This is now supported in the native SDK?
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudFront/Signer.html

I'm getting error when signing URL in AWS Lamda (Nodejs 8.10) for expireTime > 2038:
expireTime must be less than January 19, 2038 03:14:08 GMT due to the limits of UNIX time

The date is accepted by business logic of our project. Is there any solution? or any alternative libraries for signing AWS URL?

Please support. Thanks.

Hi Jason,

It looks like there is a release (2.2.1) that resolves the npm audit vulnerabilities with lodash that was released in March, but the NPM package version is still at 2.2.0. Would you be able to update the NPM package latest release to 2.2.1?

Best,
Craig

I've followed every guide there is to follow, I've done everything right, I've tried to use a private key file as opposed to a private key string but I still get this "Missing Key Pair-Id" error even though it is present in the URL.

AWS Creating Cloudfront Signed URLs
https://aws.amazon.com/blogs/developer/creating-amazon-cloudfront-signed-urls-in-node-js/

I used this guide for generating the key pairs
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-adding-trusted-signers

The generated URL contains the Key-pair-Id but this error still exists. Any help would be appreciated.

This is a sample URL generated:

https://xyz.cloudfront.net/test-video/Default/HLS/movie.m3u8?Expires=1693438738&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kMTcxNHBoOXBrbXNlby5jbG91ZGZyb250Lm5ldC9HQkFTR0JPUy9EZWZhdWx0L0hMUy9HQkFTR0JPU183MjAubTN1OCIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTY5MzQzODczOH19fV19&Signature=Ph1Plk0Wdvs8jPOV6Jk2E4NHzlaLFPEDy6aYBo3tuKd6vpIXJ8cySpU3upV5hNl8-Q3N979XrTqOKgWXmJGoIAGPlu1FL-q99IGYczv8UBZvPwYCPJgHmrFbwS85A9FK78LP2J0bmMd7ukNhqVXoMYr1adKzcONasKbftQh9AwA9m89W7EN4oRhXYKOS-904BCLzKKnXySlg%7EJW5wcRQTpJlf8o9MuSF305wWXd1iRbuHNUX46rdpHllvxfWIyqpLwICwDFB1Owqo4h0M3nTaHptbQ13o%7EEbOsL2uKLkDy2N%7EmQzDpJeVmzCWPJs549w8gP-tNwSp1sEw1kFdUdCgg__&Key-Pair-Id=dc5ffcdf-144a-4996-83d5-73c98926d8cf

P.S: Before attempting to use signed URLs, I have always used unsigned URL that worked fine: https://xyz.cloudfront.net/test-video/Default/HLS/movie.m3u8

I've installed the latest 3.0.0 version, and it works fine, but there is one catch that is hard to explain to my team. In the published version, there is a console.log inside getSignedUrl method

console.log('LETS SIGN SOME SHIT');

Inside the library itself, here on the GitHub this section is absent, so I assume the library was published on the local machine with this debug code. Could you please release a new version without debug log?

Thanks for the new version of the library without lodash vulnerability,
Kind regards, ihor

I am able to access files using cloudfront url,without any security keys passing i.e, without key-pair,expire time etc.
example: http://xxxx.cloudfront.net/uploads/temp/1.jpg

Do i need to change any configuration for bucket and cloudfront ?

Hi, I have been trying to debug this issue for a few days now.

If i am running this package locally on my machine using reacts-web-app webpack setup it works fine. the second i move it into a dockerized environment the package dies silently.

the code i'm currently testing with is this:

let options = { keypairId: "ABCDEFGHIJKL", privateKeyPath:"./cloudfront.pem", expireTime: new Date().getTime() + 6000000 }; console.log("HERE") let cookies = cfsign.getSignedCookies('http://cdn-dev.my-sitet.com/*', options); console.log(cookies)

so I only get 'HERE' outputting in the console, nothing after
have you come across any issue with this and docker?

I have been trying this awesome package for a while, and i could get signedURL work to my cloudfront. But there is an issue when i tried to use signed cookies in my cloudfront.

What could be the reasons for not working with signed cookies?

Before passing the cookie values

After passing cookie values

Thank You

Good day.
First thing.. thanks for setting up this package! Big help!
I would not mark this as an issue. I am however having trouble generating a working signed URL.

I am successfully generating a URL by following your documentation.
The url however gives me an access/denied message or in some cases missing Missing Key-Pair-Id query parameter or cookie value.

We are not using Cookies. the URL structure seems valid.
?Expires=1452884605&Signature=VOzPlbAGQeCA98Rn60xoLr0qLxyd94j5UfIkRbOfd6hkIT2uH1RXSvVKPUW1UCfw7CGJ-HTbGQ55lPrjPebdnR3doF36wHNpPN0U2AvItnbPeHt0GqDT0WUIhMZdH0h7uqTw4SZ86sEniJX3x2IZj-UAWpEx7pLJjntStxfBRaHISioVQpZDaEiiKFjamRaTKu6J93dv5EZ7IwJyIgJWfiH3j4GKeJjr6IbfXa08oGNm2O71crmwsUo1UTCDGz5DyHUoQqyrGHv53VOgtYctzUmoRerfNf1VNpkUPY3vfrfbhgS4joKTZMk0u~D9dYCEEWBWbVhKkVBwxF55tNXw__&Key-Pair-Id=AAHKDHS8JDHKSHDK98KS

I am obviously using the policy that is found in CannedPolicy.js
And filling the policy with my URL and expiry.

However looking at my policy.. I feel like i may be doing something wrong?
Hopefully you could shed some light on my issue.

My last hope is that somehow the policy is not valid...
My policy

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity SOMERANDOMVAL"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-encoded-videos/*"
}
]
}

Thank you :)
Any help is greatly appreciated!

Hey,

Thanks for this lib man, its pretty great.
One thing tho, i followed every guide and you npm readme, etc, but i get this error when attempting to create the signedUrl.

Im using mi RSA PRIVATE KEY as a String in my code:

( $ more pk-..pem file from terminal and copied the output to my .js file)

var privateKeyString =
'-----BEGIN RSA PRIVATE KEY-----\n'
'sdkfklfhksdfhskljfhsalkj( checked 64 character length) \n'
......
'u....................................................................................=\n'
'-----END RSA PRIVATE KEY-----';

var keypairId = 'some_random_rumber';

var cfsign = require('aws-cloudfront-sign');
var cloudfrontSignOptions = {
keypairId: keypairId,
privateKeyString:privateKeyString
};

...
//Actual invocation
function getUrl(){
var signedUrl = cfsign.getSignedUrl(path,cloudfrontSignOptions);
context.succeed(signedUrl);
}

I've tried every possible formatting of the RSA string, such as end of line to the last line, and many other things like that but with no success.

Is it related to this lib? I've searched everywhere, but i cant seem to fix it.

Thanks

It would be great if you could add signed cookies for CloudFront to your library. This is also a missing piece of the aws-javascript-sdk.

I'm having issues with asserts triggering while creating the canned policy. Is the code below (from CannedPolicy.js) correct, given that expireTime is now in milliseconds and not seconds?

// CannedPolicy.prototype._validate
assert(this.expireTime < 2147483647, 'expireTime must be less than January 19, 2038 03:14:08 GMT ' + 'due to the limits of UNIX time');
assert(this.expireTime > (new Date().getTime() / 1000), 'expireTime must be after the current time');

EDIT: very sorry, please ignore this, I totally missed the line that said this.expireTime = Math.round(expireTime/ 1000). I found I was triggering asserts for a different reason.

So I've setup a CloundFront key pair and I'm able to create the signed cookies using this awesome package.

I'm then setting the cookies correctly under a custom domain.

The CloudFront has the custom domain configured.

I also opened full access to the S3 origin bucket (for testing purposes).

When I hit CloudFront, I get access denied along with a RequestId and a HostId.

I also tried to access a single object index.html using a signed url and that didn't work either.

Any ideas?

var options = {expireTime: new Date() +7, keypairId: 'mykeyid', privateKeyPath: 'pk-mykeyid.pem'}

I have the .pem key in the same folder as this module, initially in was in another parent folder where I was trying to load it via:

'../../pk-mykeyid.pem'

With no luck. Please give detail on how this should work please?

Cheers

I am currently using this plugin for my Ionic project. When I make the call to get the rtmpSignedUrl it doesn't return me the url neither raises any error.

I have installed and importing the package correctly. Not sure if I am missing anything. Is there a way to debug this? Is it because the crypto library used in the package is deprecated?

I used code below in my project:
var moment = require('moment');
var cf = require('aws-cloudfront-sign');
var options = {
keypairId: 'APxxxxxxxxxxxxxyyyyy',
privateKeyPath: '/path/to/pem/private/file',
expireTime: moment().add(30, 'seconds') //available in 30s
}
var signedUrl = cf.getSignedUrl('http://xxxxxxx.cloudfront.net/path/to/s3/object', options);
console.log('signed url: ' + signedUrl);

Problem: the signedUrl is never expired
Any suggestion please

Is it possible to make signed URL's for localhost:3000? This is what Im currently trying below but can't get it to work,

var options = {
keypairId: config.cloudFrontAccessKeyId,
privateKeyPath: config.cloudFrontSecretKeyPath,
expireTime: new Date().getTime() + 1800000,
ipRange: '127.0.0.0/8'
};

Also, Im assuming the ipRange should be entered as a string. It wasn't clear in the api doc

First of all thanks a lot for the effort with the library, very helpful.

Is it possible to update the release on npm? I've just spent few hours trying to find why the example was not working:

var params = {
  keypairId: process.env.PUBLIC_KEY,
  privateKeyString: process.env.PRIVATE_KEY,
  privateKeyPath: '/path/to/private/key',      // Optional. Use as an alternative to privateKeyString.
  expireTime: new Date(2016, 0, 1) // January 1, 2016
}

And the reason is that in the npm release 1.1.0 the expireTime parameter does not support the format provided in the example.

I'm gettng an invalid key/unknown key error whenever I generate a signed url. I see this whenever I go to the link generated.

    var params = {
        privateKeyPath: './security/cfkey.pem',
        expireTime: '20000000'
    };
    cf.getSignedUrl('https:/mydomain.cloudfront.net/test/test.mp3', params, function(err, url) {
        console.log(url);
    });

Above is my code. Any ideas?

Result:

https:/mydomain.cloudfront.net/test/test.mp3?Key-Pair-Id=undefined&Signature=bZtvkAh4cA0LeGztoqkqSpR9RHCkxiQAyMtZkVEKdgA0mbK1kksp/Lj2h3ZBwVUzNgdbkWnTRQPduXeWqNItPiilyKNyxgGBr1x6dguJaALyZnI+hYWJ5/SQm7Uq2qdca1T1+XQ5eIOlVI1t9njtGCZqNubzq6wRqWYAU/ZH8Vg=&Expires=20000000

Also this can be offtopic, but should the /path/to/s3/object be a link from my CF server or S3 server?

Thank you in advance.

EDIT:
Looks like you forgot to mention about keypairId in your params in readme. That fixed it.

Hey,
Noticed that CHANGELOG not updated and also npmjs does not know anything about new version.
Please check https://www.npmjs.com/package/aws-cloudfront-sign

Thank you

The defaultExpireTime uses the local time as do the examples in the docs. If you're ahead of UTC (e.g most of Europe) the links are expired as you create them. If you're behind UTC (e.g. all of USA) the links is valid longer than you think.

There is not a really nice way in JavaScript without resorting to Moment.js or the like. https://stackoverflow.com/questions/948532/how-do-you-convert-a-javascript-date-to-utc

var now = new Date(); 
var nowUTC = new Date(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate(),  now.getUTCHours(), now.getUTCMinutes(), now.getUTCSeconds());
var defaultExpireTime = Math.round(nowUTC.getTime() + 1800000);

Moment.js

moment().utc().add(1, 'day')

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html

{"AWS:EpochTime":required ending date and time in Unix time format and UTC}

The README just gives an env var with no explanation.

In Nodejs, generating signed url for a large list of files(~1000) takes time because it does the job in a single-thread manner. So I'm interested to know is there a way to create signed url for multiple files at once? for example by passing an array of object keys instead of passing one at a time? Or shall I consider generating signed-cookies? thanks

I am seeing your amazing tool and checking the possibitily of adding as dependency of my project. The thing is: I am deploying my app split in microservices in disposable machines(AWS-ECS) using Docker. I would like not to include any CloudFront Key Pair since these machines can die and storing files (*.pem) inside makes no sense. Is there any way to get signed tokens just granting privileges with IAM policies, e. g, CloudFrontFullAccess? avoiding Key Pair as other AWS services (e.g. from S3 I get signed url's, with proper IAM policy)

The CloudFront policy spec shows that the policy takes an array of statements. I am not sure if more than one statement is currently supported in CloudFront, but according to this aws-sdk issue commit comment, it does. Can getSignedCookies() be changed to accommodate this?

Thanks for a great library, it really helped me out!

~Nathaniel

I am wondering what the exact steps are before creating the Signed RTMP urls. At the moment, it looks as though I have everything set up and unsigned RTMP urls seem to work fine. The problem I am having is that I cannot get signed urls working despite various efforts. I am wondering if it is in the configuration on AWS side but I cannot be entirely sure.

I wondering if it could be possible to list the steps to make sure the configuration is set up correctly when using signed rtmp urls. For example, clicking the restrict viewer access, and enabling trusted users, etc., etc. The setup for HTTP is different than RTMP and this seems crucial...

Thank you much.

If I want to supply a query string in the cloudfront url (e.g.
https://subdomain.cloudfront.net/path/to/my/file.mov?response-content-disposition=attachment) when we call getSignedUrl() it assumes there are no query parameters and appends the signature query string with another ?.

This results in a signed url like https://subdomain.cloudfront.net/path/to/my/file.mov?response-content-disposition=attachment?Expires=1425700643&.... (note the double ? where the second one should be an &).

Right now I am working around this with:

signedUrl = signedUrl .replace('?response-content-disposition=attachment?', '?response-content-disposition=attachment&');

Side note: for cloudfront backed by s3, passing response-content-disposition=attachment query string sets the header, so that things like movie files will be downloaded instead of displayed in the browser. This is why I ran into the issue.

Documentation suggests we could do something like

expireTime: moment().add(expireTimeSec, 'seconds').toDate()

However what I really needed to do was pass unix epoch like

expireTime: moment().add(expireTimeSec, 'seconds').unix()

Either updating docs or converting date to unix epoch would suffice.
Note I was using the http://momentjs.com/ library.

Hey there,

thanks for packing this up into this neat bundle.
I just spent half a day figuring out why my signed link does not work.

All looked peachy, but CloudFront would return AccedDenied.
After trying out the official go implementation (it also contains the sign code, and uses a default expire time of +1 h) I knew it wasn't related to my CF setup but something else.

When I finally increased the expireMethod to 5 minutes, it instantly worked like a charm.

Hence, I propose to increase the default expireTime from 30 seconds to at least something in the minutes range. It is not seldom for some servers to exhibit +20s clock drift and other APIs (official ones from AWS) start with much higher defaults.

What do you think?

I'm trying to create a distribution that servers three types of users:

Free (can access without being logged in)
Registered (has to be signed in)
Premium (has to pay)

I can use the CF cache behavior to make the above happen.

However, if I create a signed cookie with this awesome library, then it seems that I won't be able to differentiate between registered and premium users.

Amazon state here that:

In your CloudFront distribution, you specify one or more trusted signers, which are the AWS accounts that you want to have permission to create signed URLs and signed cookies.

I know how to do this from these instructions. And if I use different signers for different cache behaviors and sprinkle some policy magic, I think I can achieve my above-mentioned goal.

What I don't know how to do, is to use a specific trusted signer with this (awesome) library.

Any clues to how I might be able to do that? Do I just use the trusted signers Access Key ID instead of the The access key ID from your Cloudfront keypair as mentioned on this repo's instructions?

I keep getting "AccessDenied," with the Message: "Query-string authentication requires the Signature, Expires and AWSAccessKeyId parameters".

I try to append an AWSAccessKeyId -- first, I tried the one labeled "Access Key ID" from my Cloudfront Keypairs. Then it returns: "InvalidAccessKeyId" with the Message: "The AWS Access Key Id you provided does not exist in our records."

Then, I tried the main Access Key from my account, and that returns: "SignatureDoesNotMatch" with the Message: "The request signature we calculated does not match the signature you provided. Check your key and signing method."

var params = {
    keypairId: pub_key,
    privateKeyPath: __dirname + "/pk-{AWSAccessKeyId-fromCFKeypairs}.pem",
    expireTime: moment().add(30, "minutes").unix(),
    Expire: 60
};
cf.getSignedUrl("http://{bucket}.s3.amazonaws.com/" +  FILE_KEY, params) + "&AWSAccessKeyId={AWSAccessKeyId-fromCFKeypairs || AWSAccessKeyId-fromAccountCredentials}";`

A strange thing I noticed about this, is the Params require a Keypair ID, which I passed in the contents from rsa-{AWSAccessKeyId-fromCFKeypairs}.pem recieved from the Cloudfront Keypair tool. I feel this might refer to the "Access Key ID" from my Cloudfront Keypairs, but changing that does the same "SignatureDoesNotMatch" error.

I'm not sure what I'm doing wrong :( Thank you!

The package.json file in this repo references an insecure version of lodash and should be updated at least to version 4.17.5.

Ref: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Is there any progress on PR #48?

Hello there,

Is this repo being maintaned? I know from npm that it has 22k monthly downloads, but on the other hand, the merge requests are open for a while.

I am interested in maintain this repo (if needed), let me know what I should do if that is the case.

Contrary to how the policy file in this project is named, canned policies are not supported. Canned policy usage does not produce a Policy parameter, only custom policies do that.

For reference: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.html

Similarly, fully supporting custom policies would also be nice. DateGreaterThan is currently not supported.

thanks for sharing this code.

I am trying to sign with a private Key string that I have encrypted ( for security reasons) and altough the function called by this sign could be using that feature (since crypto have built in) unfortunately is not there.

The bypass it is a ugly hack:
{ keypairId: 'id', privateKeyString: {privateKeyString, passphrase: 'password', toString: () =>privateKeyString} };

The function below work just fine, since the fine method allows to receive a keyObject with the passphrase in it.
https://nodejs.org/api/crypto.html#crypto_class_keyobject

_createPolicySignature(policy, privateKey) {
  var sign = crypto.createSign('RSA-SHA1');
  sign.update(policy.toJSON());

  return sign.sign(privateKey, 'base64');
}

The problem it is with the validation function itself that assumes that I am sending a string while I am sending a object (because I need the passphrase property)

More specifically:

function _getPrivateKey(params) {
  var privateKeyString = params.privateKeyString; 

  var newLinePattern = /\r|\n/;
  var lineBreakExists = newLinePattern.test(privateKeyString);
  if (!lineBreakExists) {
      throw new Error('Invalid private key string, must include line breaks');
  }

  return privateKeyString;
}

I guess it should use destructuring to get the variable inside the object. What are your thoughts on this?

Hello,

I'm having issues getting this module to work. The way I'm doing this right now is:

1. Restrict access to my cloudfront distribution to my AWS account #

2. Create cloudfront keypair in AWS.

3. Download private .pem file

4. Move pem file ~/.ssh as cloudfront.pem

5. chmod 600 ~/.ssh/cloudfront.pem

6. Execute this code in node.js:

   var cf = require('aws-cloudfront-sign')
   var options = {keypairId: {KEYPAIR ID FROM ABOVE}, privateKeyPath: '/Users/{MYUSERNAME}/.ssh/cloudfront.pem', expires: new Date().getTime() + 30000}
   var signedUrl = cf.getSignedUrl('http://my-s3-domain.s3.amazonaws.com/my-great-file.txt', options);
   console.log('Signed URL: ' + signedUrl);

When I visit the signed url, I get a response like this:

<Error>
<Code>InvalidAccessKeyId</Code>
<Message>
The AWS Access Key Id you provided does not exist in our records.
</Message>
<AWSAccessKeyId>...</AWSAccessKeyId>
<RequestId>...</RequestId>
<HostId>.. </HostId>
</Error>

Then I tried the same steps, but using a standard Access Key Id (not cloudfront access key id):

<Error>
<Code>AccessDenied</Code>
<Message>
Query-string authentication requires the Signature, Expires and AWSAccessKeyId parameters
</Message>
<RequestId>...</RequestId>
<HostId>...    </HostId>
</Error>

So I changed line 49 of cloudfrontUtil.js from:

'Key-Pair-Id': params.keypairId

to

'AWSAccessKeyId': params.keypairId

and I get:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your key and signing method.
</Message>
<AWSAccessKeyId>...</AWSAccessKeyId>
<StringToSign>GET ... </StringToSign>
<SignatureProvided>...
</SignatureProvided>
<StringToSignBytes>...    </StringToSignBytes>
<RequestId>...</RequestId>
<HostId>...    </HostId>
</Error>

Can you provide any assistance?

I'm trying to upload a file through cloudfront, specifying x-amz-server-side-encryption-aws-kms-key-id and x-amz-server-side-encryption: aws:kms. I can confirm that this works when the encryption is set to AES256, but setting the header to aws:kms results in the following error:

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

So i've been generating signed cookies and have been setting them like so:

exports.signedUrl = function (req, res) {
  var options = {
    keypairId: config.cloudFrontAccessKeyId,
    privateKeyPath: config.cloudFrontSecretKeyPath,
    expireTime: new Date().getTime() + 1800000,
  };
 
  var signedCookies = cf.getSignedCookies('http://cdn.learningesan.com/images/*', options);
  console.log('Signed URL: ' + signedUrl);

  for(var cookieId in signedCookies) {
    res.cookie(cookieId, signedCookies[cookieId]);

  }
  console.log(res);
  res.status(200);
};

Back on my client side Im trying to display a image on the CDN in an image tag
<img src="http://cdn.learningesan.com/images/circle.png" >
For some reason I am still getting a 403 Forbidden error.

How can I verify the cookies are properly set in the browser?

We are using singed cookies to access a cloud front distribution and wondering if there are any example implementation out there for rotating the key pairs programmatically. Here is a AWS doc mentioning the manual rotation https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-rotating-key-pairs

Hello,

Can you please let me know if it's possible to use this module to post files to S3 through Cloudfront Signed URLs? If yes, can you please give me an example as to how it works? Thanks!

Adi

I doubt this is an aws-cloudfront-sign issue, so apologizes for posting here, but I'm a bit desperate.

I'm using v2.2.0 (latest as of today).

I've followed the spec to a T but can't seem to get this working. It works fine if I use plain ol':

		'response-content-disposition': `${contentDisposition}; filename="${encodeURIComponent(filename)}"`

in the code sample below.

But if I try to use this filename*=UTF-8''... jazz, I get Access Denied from Cloudfront.

Any thoughts? Here is my code, simplified:

function getDownloadUrl({cloudFrontFileUrl, contentDisposition, ...}) {
	const urlWithS3QueryParams = URL.parse(cloudFrontFileUrl);  // Parse URL

	urlWithS3QueryParams.query = { // Modify query params
		'response-content-disposition': `${contentDisposition}; filename*=UTF-8''${encodeURIComponent(filename)}`,
		...(cacheBreakerVersion !== null ? { 'version': cacheBreakerVersion } : {}),
	};

	// Add in any request for a specific Content-Type header back from S3.
	if (contentType) {
		 urlWithS3QueryParams['response-content-type'] = contentType;
	}

	return cfsign.getSignedUrl(
		 urlWithS3QueryParams.format(), { // Use our new URL with query params
			 keypairId: ...,
			 privateKeyString: ...,
			 expireTime: Date.now() + expirationHours * 1000 * 60 * 60,
		 }
}

Any help would be greatly appreciated. Thank you kindly.

Do you know if I could use an S3 Custom Policy to sign a CloudFront url (assuming CloudFront is correctly "hooked up" to S3)?

Also, can CNAMEs be signed, or does it have to be a CloudFront url specifically?

Great package!

Just one question, I'm not too sure on how to provide the privateKeyString ?

Is this the AWS Secret key or the private .pem file created for CloudFront?