Issue with signed URLs

[bernsno]

Hi,

We're having an issue generating signed url's. The key that the plugin is generating does not match what we'd expect based on Imgix's hashing algorithm.

For example this is the URL produced by the plugin:

https://[client-name].imgix.net/images/Product-Shots/solutions-feature-placeholder-image-07.jpg?fp-x=0.5&fp-y=0.5&ixlib=php-2.1.1&w=500&s=3b20482f6f65f4be0c7aa37610afa44d

This URL was produced using a very simple example tag for the purposes of submitting this issue:

<img src="{{ craft.imgix.transformImage(craft.assets().kind('image').one(), { width: 500 }).getUrl() }}" alt="">

If you generate a signed URL through the Imgix web-based signing tool (https://dashboard.imgix.com/tools) using the following URL (same as above without secure token)…

https://[client-name].imgix.net/images/Product-Shots/solutions-feature-placeholder-image-07.jpg?fp-x=0.5&fp-y=0.5&ixlib=php-2.1.1&w=500

…it produces the following, working Image URL:

https://[client-name].imgix.net/images/Product-Shots/solutions-feature-placeholder-image-07.jpg?fp-x=0.5&fp-y=0.5&ixlib=php-2.1.1&w=500&s=d26f764718c521580e751eb325b5c9be

Which is identical to the URL generated by the Imgix plugin but with a different s= query param.

Imgix signed URLs are based on hashing the entire image URL together with a secure token, so there are only 3 ways these two URLs could be different:

1. A different hashing method is being used used.

2. A different secure token is being used in the hashing.

3. A different base URL is being used in the hashing.

4. If the Imgix plugin is using Imgix’s own PHP library, 1 should not be true.

5. We’ve done everything possible to validate that the correct secure token is being used by the Imgix plugin, including dumping the value out from within the plugin code immediately before it is used in the hash.

6. FWIW if we turn off Secure URL's we do not have this issue.

Is this a known issue and we are configuring something incorrectly? Thanks for your help, please let us know what other info we can provide.

[nettum]

So, I did some debugging and figured this out. Seems to be a problem if you use path prefix for your imgix source.

Here is my settings:

imgix:

plugin:

The Imgix\UrlBuilder constructor expect only the domain as a parameter, and the createURL function will need the /images/ part before the filename to generate the correct hash.

Guess this could be solved by changing the config for imgix to something like:

and adjust the code to reflect this change. But that will be a breaking change...

I fixed it temporarily using the following code inside ImgixModel.php:

This made it generate the correct hash and the images are loading correctly.

@sjelfull what do you think is a good solution to solve this?

As far as I can see you can set path prefix for amazon s3 (which is what I'm currently using), google cloud storage and microsoft azure when setting up a new imgix source.

I can submit a PR if you want.

[sjelfull]

@nettum Thanks for the PR, will tag a release now.