Include content-length in signed headers for signed url #38
Assignees
Milestone
Comments
This was referenced Nov 23, 2022
|
I'm refactoring so we don't call the presigned url thing |
|
Also removing the SESSION_TOKEN as it doesn't seem relevant to our use-case where we are creating the signer in a lambda with the regular aws credentials |
2 tasks
olizilla
added a commit
that referenced
this issue
Dec 8, 2022
- Add `createUploadUrl` to `car-store.js` as creating presigned s3 urls is a job for the bucket abstraction and having a thing called `signer` that wasn't a keypair for a DID for ucanto was confusing. - Switch to the `@aws-sdk/s3-request-presigner` for creation of signed s3 urls to simplify credential management. The existing s3 client is reused. - Adds `content-length` to the list of headers that form part of the url signature. fixes #38 ### Notes When presigning a URL for s3, some headers are "hoisted" to the URLSearchParams; they appear in the query string so you can hand the url off as a string, and the params needed for auth are baked right in there. S3 support unpacking those params from either the query _or_ from http request headers. The query params are part of the signature, so they can't be tampered with. You can also "hoist" and sign any other params you want... it is tempting to move `x-amz-checksum-sha256` to the query so a user wouldn't need to provide it separately. However it appears that aws does not support pulling that value out of the query, only from a request header. It is unknown how s3 reacts to sending a content-length that doesn't match the payload size, but there are tests for it in storacha/sigv4#7 License: MIT Signed-off-by: Oli Evans <oli@protocol.ai>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See storacha/w3up#266
The text was updated successfully, but these errors were encountered: