Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specifying port explicitly in options breaks "string to sign" #40

Open
brnkrygs opened this issue Dec 1, 2016 · 1 comment
Open

Specifying port explicitly in options breaks "string to sign" #40

brnkrygs opened this issue Dec 1, 2016 · 1 comment

Comments

@brnkrygs
Copy link

brnkrygs commented Dec 1, 2016

Hi! First, thanks for creating this module, it has made my development life a lot easier. For such a valuable function, I'm surprised its not in the aws-sdk (or maybe it is, and I just can't find it :) )

I recently ran into an issue where I was signing HTTPS requests that were attempting to push data into AWS Elasticsearch from a lambda. My policy restricted POSTs and PUTs to the role my lambda was operating under. So far so good.

I used the library to sign requests, but kept getting HTTP 403 responses, with a message saying "The request signature we calculated does not match the signature you provided..."

After playing with what I had in my request options for a bit and combing through logs, I found that I had explicitly set the "port" property of my request options to 443 prior to signing it.

When I removed the port option, the request was properly signed and my index requests started returning HTTP 200.

From my logs, it looked like the aws4 lib was including the port as part of the "String to sign", but AWS was excluding it.

It might be the case that since 443 is the standard https port, AWS erroneously drops the port from the string to sign, or maybe Node.js drops it from the actual request, or maybe aws4 problematically includes it in the host before signing... I haven't delved quite that far yet. Wondering if you've run into this situation before?
@brnkrygs
Copy link
Author

brnkrygs commented Dec 1, 2016
edited
Loading

I was able to keep working a bit and explored Node HTTP module behavior.

Details are recorded in this gist:
https://gist.github.com/brnkrygs/a96869ee9b02ab8916c933e09a8a8381

From my (admittedly limited) testing, it looks like the Node HTTP module drops the port from the request info if its a 'standard' port for the given protocol.

Applying that to this module, it looks like since my requests were HTTPS for port 443, having the 443 included in the string to sign by the module caused the signature mis-match, since Node never actually included that in the real request.

Maybe a fix would be to exclude port from the string to sign if it matches the 'standard' port for the configured protocol?

brnkrygs added a commit to brnkrygs/aws4 that referenced this issue Dec 1, 2016
@brnkrygs
Do not add standard ports to host prior to signing. Fixes mhart#40
1fc6ea5
@brnkrygs brnkrygs mentioned this issue Dec 1, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brnkrygs