Incorrect AWS signature for multipart/form-data

postmanlabs / postman-app-support

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.

https://www.postman.com

5.78k stars 837 forks source link

Incorrect AWS signature for multipart/form-data #8180

Open lephuongbg opened 4 years ago

lephuongbg commented 4 years ago

Describe the bug Currently uploading file with content-type: multipart/form-data to an endpoint using AWS signature v4 doesn't work due to wrong signature being calculated.

To Reproduce Steps to reproduce the behavior:

Create a request with AWS signature v4 auth
Set body to "form-data"
Add any file to the body
Click "Send"

Expected behavior The request should succeed.

Current behavior Request was rejected with "The request signature we calculated does not match the signature you provided."

App information (please complete the following information):

App Type: Native App
Postman Version: 7.20.0
OS: Ubuntu

mansidoshi commented 4 years ago

I too am facing the same issue. Any leads would be appreciated. Thanks

bruno-xo7 commented 3 years ago

Same in 7.31.1.

I created a client of my own to be able to work. So I had to use the AWS signature calculation and use a crypto library, CryptoJS. I encountered the following problem which could be the same as Postman's one. The CryptoJS library only takes a string as input and not a Buffer, so an implicit .toString() is made to utf8 which makes the signature invalid.

Envek commented 3 years ago

Same here. Can't POST multipart/form-data to Lambda function behind API Gateway.

It looks like that currently authorization of form data requests left unimplemented in the assumption that it is only used to do uploads directly to S3. See the relevant comment in the source code here: https://github.com/postmanlabs/postman-runtime/blob/451e9aa3ce563b6ae9529633151d4f934cdba9e0/lib/authorizer/aws4.js#L74-L76

But in my case, I want to post form data to API gateway, which is configured to bypass such payload to my Lambda function as is (with multipart/form-data specified as a binary media type).

Maybe it is better to implement signature in the same way as for raw body type to cover at least this use case for the time being?

BwL1289 commented 3 years ago

commenting to track this

ankit-zibo commented 3 years ago

Following

ankit-zibo commented 3 years ago

I am also facing the same issue while calling an API with aws_auth using postman latest Version 8.6.1 (8.6.1). Trying to upload multiple files but getting this invalid signature error.

Envek commented 3 years ago

I was able to set up HTTPie console utility for multipart request signing and switched to it for the time being:

# Install HTTPie with required plugins for AWS request signing
pip install git+https://github.com/Envek/aws-requests-auth@fix/multipart-requests
pip install httpie httpie-aws-authv4

# Make multipart requests like this:
http --auth-type aws4 --auth REDACTED.execute-api.us-west-2.amazonaws.com \
     --multipart POST http://example.com/test field=value

See https://github.com/aidan-/httpie-aws-authv4/issues/10 for details.

bfoura commented 2 years ago

We are also facing this issue with Postman. Any plan to solve this issue ?

kim-mysa commented 1 year ago

Following

joseph-max-coalfire commented 1 year ago

Any updates on this? This has been open for ~~two~~ nearly three years, and has been a longstanding issue even before then

sagar-punchh commented 1 year ago

It took me so much time to figure out that the issue is with postman. I was continuously debugging my API setup as the request was giving signature mismatch error.

Any plan to solve this?

lucasboleite commented 3 weeks ago

Same error here

bitsofinfo commented 2 weeks ago

OMG.... i just ran into this. unbelievable this is still not fixed