Requests signed with "connection" header are rejected by AWS

[cfbao]

Describe the bug

Requests with "connection" header are rejected by API Gateway HTTP API with IAM auth.

To Reproduce

• Create an HTTP API in API Gateway (e.g. aws apigatewayv2 create-api)
• Add IAM auth to this API
• Send a request with "connection: keep-alive" header to this API, signed using this package with appropriate AWS creds
• Receive 403 {"message":"Forbidden"} response

Sample code

Environment.SetEnvironmentVariable("AWS_PROFILE", "<my-profile>");

var client = new HttpClient();

var request = new HttpRequestMessage(HttpMethod.Get, "<api-gateway-http-api-url>")
{
    Headers = {
        { "Connection", ["keep-alive"] },
    },
};

var response = await client.SendAsync(
    request,
    "<region>",
    "execute-api",
    Amazon.Runtime.FallbackCredentialsFactory.GetCredentials()
);

Console.WriteLine(response.StatusCode);
Console.WriteLine(await response.Content.ReadAsStringAsync());

Expected behavior

The request is accepted.

Desktop (please complete the following information):

Windows 10 & Amazon Linux 2023

Additional context

Although not explicitly documented, it looks like AWS simply doesn't accept some headers in the signature (they accept them in the request, but not in the signature calculation). See an explicit case here with the "connection" header: https://repost.aws/questions/QUWXtAMiggShedgHG3hLl3tg/ses-sigv4-usage-update-connection-header

Other libraries (including AWS SDKs) deal with this by hardcoding (& maintaining) a list of unsignable headers and/or allow users to supply a list of headers to sign/not sign. e.g.

• https://github.com/mhart/aws4/issues/119
• https://github.com/aws/aws-sdk-java-v2/blob/7da518ab63807ac633951afc39fb833b361d7aeb/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L70-L71
• https://github.com/aws/aws-sdk-net/blob/acae479fe47dc2583f625fe9f3d68413573ee15b/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4Signer.cs#L61-L66
• https://github.com/aws/aws-sdk-js/blob/cc29728c1c4178969ebabe3bbe6b6f3159436394/lib/signers/v4.js#L190-L198

Supporting customization also makes it possible to use this package in environments where a proxy may alter request headers.

[github-actions[bot]]

Hi there and welcome to this repository!

A maintainer will be with you shortly, but first and foremost I would like to thank you for taking the time to report this issue. Quality is of the highest priority for us, and we would never release anything with known defects. We aim to do our best but unfortunately you are here because you encountered something we didn't expect. Lets see if we can figure out what went wrong and provide a remedy for it.