search

minio / minio-js

MinIO Client SDK for Javascript
https://docs.min.io/docs/javascript-client-quickstart-guide.html
Apache License 2.0
955 stars 277 forks source link

SignatureDoesNotMatch error when using slash before bucket name #1344

Closed roxlu closed 1 month ago

roxlu commented 1 month ago

I'm trying to understand why I'm getting a signature error with the use of fPutObject(). I've got a local API server which runs on e.g. localhost and some arbitrary port and makes this call on a Minio.Client instance. The local API is made available via a NGINX proxy which is used to add TLS for public connections.

I've enabled verbose logging in NGINX to get a bit more detail and trying to understand why the signature is incorrect. When I call minio_client.fPutObject() with an object name that starts with a / I get the following error as shown below. This error was triggered via a call like: 

minio_client.fPutObject(
  "roxlu.data", 
  "/media/0ecb1a4f-66d4-422f-8395-233485505f8e",
  meta
)

Which gives: 

> S3Error: The request signature we calculated does not match the signature you provided. Check your key and signing method.
    at parseError ()
    at Module.parseResponseError ()
    at process.processTicksAndRejections ()
    at async Client.makeRequestStreamAsync ()

  code: 'SignatureDoesNotMatch',
  key: 'media/0ecb1a4f-66d4-422f-8395-233485505f8e',
  bucketname: 'roxlu.data',
  resource: '/roxlu.data/media/0ecb1a4f-66d4-422f-8395-233485505f8e',
  requestid: '17F2B5E1F1AF97F5',
  hostid: '03376ec60126b850a3bd0bf09a44f053eb053a55a775150f2cc23437b2e5db4b',
  amzRequestid: '17F2B5E1F1AF97F5',
  amzId2: '03376ec60126b850a3bd0bf09a44f053eb053a55a775150f2cc23437b2e5db4b',
  amzBucketRegion: undefined
}

The cleaned up NGINX log shows this, note the double slash before //media:

   PUT /roxlu.data//media/0ecb1a4f-66d4-422f-8395-233485505f8e HTTP/1.1"
   upstream_host=localhost:8111
   upstream_addr=127.0.0.1:8111
   upstream_status=403
   host="storage.example.com"
   request_host="storage.example.com
   "403"
   "507" "-" "MinIO (linux; x64) minio-js/7.1.3""

Now, when I remove the / it works, so the working call looks like:

minio_client.fPutObject(
  "roxlu.data", 
  "media/a42673f3-265e-4495-82a6-29e32348f596",
  meta
)

Which results in a NGINX log like, note the single slash with /media/:


   PUT /roxlu.data/media/a42673f3-265e-4495-82a6-29e32348f596 HTTP/1.1
   upstream_host=localhost:8111
   upstream_addr=127.0.0.1:8111
   upstream_status=200
   host="storage.example.com"
   request_host="storage.example.com" "200" "0" "-" "MinIO (linux; x64) minio-js/7.1.3"
   "200" "0" "-" "MinIO (linux; x64) minio-js/7.1.3"

What might cause the invalid signature? I assume the error is triggered because some signed data is sent when making the request and I suspect that the data that is used to sign the request is different from the data that is used to verify it. This could be due to NGINX however the host names are identical as you can see from the logs above.

harshavardhana commented 1 month ago

don't add / before bucket name, why is that a necessity?

prakashsvmx commented 1 month ago

Closing due to no activity