Open bestickley opened 2 weeks ago
Another point: CloudFront Lambda Function URL OAC will sign request for us, but they explicitly don't support signing POST/PUT requests with bodies. So we could have Lambda@Edge conditionally sign body but we still pay latency cost.
Lambda@Edge is currently used to sign CloudFront requests before they reach Lambda Function URL which has IAM_AUTH enabled which requires the signing. I'd like to move from Lambda@Edge to CloudFront Functions.
Why? Because Lambda@Edge has higher latency than CloudFront Functions (138ms vs 455ms p99, see here) and Lambda@Edge is annoying to use with
cdk destroy
because it takes a long time to delete so stack deletion fails.Issue: in order to sign POST requests, you must include the request body in the signature, but CloudFront functions don't allow you to access the body :( . To get around this, we could ask users to patch
fetch
in the browser to always include ax-amz-content-sha256
hash which is trivial. This library could even provide the patch function although it's trivial to implement.Is asking users to patch
fetch
in their Next.js apps a big deal?