arnemolland / sigv4

Dart library for signing AWS requests with Signature Version 4
MIT License
17 stars 23 forks source link

content-length and x-amz-content-sha256 missing #5

Closed flowcharterappowner closed 4 years ago

flowcharterappowner commented 4 years ago

I have set up postman to exercise the dynamodb REST API. Works Great.

From dart, using your library, the generated signature gets rejected. It doesn't generate the content length header, but perhaps more significantly, postman generateds the x-amz-content-sha256 header.

Am I missing something ?

arnemolland commented 4 years ago

Hi @flowcharterappowner 👋

Are you doing signed requests to an S3 bucket? This is not something I've added support for so far, but I'm on it.

flowcharterappowner commented 4 years ago

Hi arne,

Actually, I'm trying to do CRUD to the dynamodb service. The amazon docs confuse. They talk about some headers needing to be signed, and others not, and a lot of it refers to simpledb, which isn't even a thing anymore. I download their java sdk for low-level dynamo db access. I'm trying to reverse engineer how it packages and signs a request. Not easy. I think the easiest solution would be for you to try your library with dynamodb, and confirm it's ust me doing something stupid. Fingers crossed. Thanks for the response,

Ian

On Wed, Jan 8, 2020 at 8:25 PM Arne Molland notifications@github.com wrote:

Hi @flowcharterappowner https://github.com/flowcharterappowner 👋

Are you doing signed requests to an S3 bucket? This is not something I've added support for so far, but I'm on it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/arnemolland/sigv4/issues/5?email_source=notifications&email_token=AMTBQVKFRJNFNRR7BMGMUETQ4WLYZA5CNFSM4KED26J2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEILXM3I#issuecomment-571962989, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMTBQVLKLHWWJWC332USVALQ4WLYZANCNFSM4KED26JQ .

flowcharterappowner commented 4 years ago

I think the issue is that the header x-amz-content-sha256 is not included in the generated request headers.

flowcharterappowner commented 4 years ago

Also, I notice postman does not add the Accept header in the Authorisation object.

flowcharterappowner commented 4 years ago

I managed to verify that your code does create the correct signing keys, as shown on this page:

https://docs.amazonaws.cn/en_us/general/latest/gr/signature-v4-examples.html

It shows example parameters, and the expected values.

But when I compare my signature with the one that is generated by postman, it differs, and is rejected. AWS is happy with the postman signature.

flowcharterappowner commented 4 years ago

So, perhaps the string to sign is slightly different to the one postman uses ? Unfortunately, postman shows the generated auth header, but not the inputs to its signing function.

arnemolland commented 4 years ago

I’ve made a patch that should fix this issue (#6)

arnemolland commented 4 years ago

I’m pushing to pub as soon as I’m getting hold of my PC👌

flowcharterappowner commented 4 years ago

Wow, exciting news. In the end I came to the conclusion that the issue is with the 'string to sign' - the postman app must know how to format it, and the AWS docs are missing something. Anyway, looking fwd to trying your fix...

flowcharterappowner commented 4 years ago

My flutter is up to date.

Because every version of flutter_test from sdk depends on crypto 2.1.3 and sigv4 >=3.1.1 depends on crypto ^2.1.4, flutter_test from sdk is incompatible with sigv4 >=3.1.1.

flowcharterappowner commented 4 years ago

BTW- currently on the beta channel. I'll try switching to stable.

flowcharterappowner commented 4 years ago

Moved my code out of test and removed flutter_test from yaml to remove the above error. Did you test your code with a non-null body ? I think it doesn't work.

flowcharterappowner commented 4 years ago

A final comment on this issue... I believe your signing code works fine. So far, though, A had my WS always tells me that my signature does not match. This means the 'string to sign' must be mis-formatted in some way, but because you cannot unhash the signature it is impossible to see why.

Conclusion: After a week of banging my head against the wall, I will try using their API Gateway instead.

If you manage to get a POST example working with dynamodb, I'll be very happy to hear about it.

Many thanks.

arnemolland commented 4 years ago

Sorry I’ve been busy as of late. I’m adding some integration tests and will look further into the issue.