search

mhart / aws4

Signs and prepares Node.js requests using AWS Signature Version 4
MIT License
699 stars 175 forks source link

The request signature we calculated does not match the signature you provided #144

Open ekkis opened 2 years ago

ekkis commented 2 years ago

using v1.11.0 I hand the following to the .sign() method (partnerId and Credential modified to hide actual value):

signedRequest: {
    region: 'us-east-1',
    host: 'agcod-v2-gamma.amazon.com',
    path: '/CreateGiftCard',
    body: '{"creationRequestId":"Cif1221xjchec2ac","partnerId":"Cuf12","value":{"amount":120,"currencyCode":"USD"}}',
    service: 'AGCODService',
    headers: {
      accept: 'application/json',
      'content-type': 'application/json',
      'x-amz-target': 'com.amazonaws.agcod.AGCODService.CreateGiftCard',
      Host: 'agcod-v2-gamma.amazon.com',
      'Content-Length': 104,
      'X-Amz-Date': '20220502T205849Z',
      Authorization: 'AWS4-HMAC-SHA256 Credential=AKILWWFU6UKLBAEECQ7I/20220502/us-east-1/AGCODService/aws4_request, SignedHeaders=accept;content-length;content-type;host;x-amz-date;x-amz-target, Signature=4d9cc7a9ceb696648585b47e7e56d075e3a04becdca74bf3c9212c2eae0a8f4b'
    },
    method: 'POST',
    securityOptions: 'SSL_OP_NO_SSLv3'
  }

and when I call the servers get the following error:

{ message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.' }

could anyone elucidate for me what is wrong?

Appendix I

incidentally, using node-fetch to submit the request, like so:

    var url = `https://${signedRequest.host}${signedRequest.path}`
    return fetch(url, {
      method: 'POST',
      headers: signedRequest.headers,
      body: JSON.stringify(signedRequest.body)
    })
      .then(res => res.json())

and yes, I've verified that the credentials are correct. the same signedRequest object works fine when submitted to the server via the NPM request package, which I'm trying to replace with node-fetch as the former is deprecated

Appendix II

furthermore, if I curl with all the data displayed above, I get a success:

{"cardInfo":{"cardNumber":null,"cardStatus":"Fulfilled","expirationDate":null,"value":{"amount":120.0,"currencyCode":"USD"}},"creationRequestId":"Cif1321ydvevfgmg","gcClaimCode":"AJV7-WRRV8D-89AR","gcExpirationDate":null,"gcId":"1533548517471554","status":"SUCCESS"}

Appendix III

incidentally, I did find this: https://gist.github.com/i-like-robots/8913dad2204f95f0d4044b338092a584 which seems to suggest that a) the connection should implement keepAlive, and 2) there's some issue where CNAMEs need to be resolved. with reference to the latter, I've verified that the hostname being provided (agcod-v2-gamma.amazon.com) isn't a CNAME

I frankly don't know what the issue could be but if the guy who posted those gists wrote them, there must be a reason.

also incidentally, I'm trying to upgrade https://www.npmjs.com/package/agcod because Amazon doesn't offer an official NodeJs library to deal with this (sad). if anyone can recommend a better alternative I'm all ears

bcesur commented 2 years ago

Hey @ekkis, I also had a similar issue. I fixed the issue by giving host, path to the requestOptions of the sign function.

const signedHeaders = sign(
                {
                    method: 'GET',
                    service: 'service',
                    region: 'eu-central-1',
                    host: 'https://zzzzzzzzzz.service.eu-central-1.amazonaws.com',
                    path: '/dev/v1/test?' + searchParams,
                },
                {
                    secretAccessKey: 'secretAccessKey',
                    accessKeyId: 'accessKeyId',
                    sessionToken: 'sessionToken',
                },
            ).headers

Hope this helps ✌️