[英]InvalidSignatureException while using aws-sdk-js with CognitoSync service
I am using the latest version of aws-sdk-js (v2.471.0) in my web application. 我在我的Web应用程序中使用了最新版本的aws-sdk-js (v2.471.0)。
User is successfully authenticated via Cognito Identity and is given a valid session. 用户通过Cognito Identity成功进行身份验证,并获得有效会话。 My issue is that all CognitoSync
calls fail with the same error message: 我的问题是所有CognitoSync
调用失败并显示相同的错误消息:
InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
at Object.extractError (http://localhost:4400/scripts/libs/aws-sdk.js:166311:27)
at Request.extractError (http://localhost:4400/scripts/libs/aws-sdk.js:166652:8)
at Request.callListeners (http://localhost:4400/scripts/libs/aws-sdk.js:169314:20)
at Request.emit (http://localhost:4400/scripts/libs/aws-sdk.js:169286:10)
at Request.emit (http://localhost:4400/scripts/libs/aws-sdk.js:167947:14)
at Request.transition (http://localhost:4400/scripts/libs/aws-sdk.js:167286:10)
at AcceptorStateMachine.runTo (http://localhost:4400/scripts/libs/aws-sdk.js:172800:12)
at http://localhost:4400/scripts/libs/aws-sdk.js:172812:10
at Request.<anonymous> (http://localhost:4400/scripts/libs/aws-sdk.js:167302:9)
at Request.<anonymous> (http://localhost:4400/scripts/libs/aws-sdk.js:167949:12)
the signature you provided.
What makes worse is that other AWS service calls, for instance to DynamoDB
, work with no issues with the same credentials! 更糟糕的是,其他AWS服务调用(例如DynamoDB
在使用相同凭据时不会出现任何问题!
Both services use the exact same credentials to make their calls. 两种服务都使用完全相同的凭据来拨打电话。
The cognito user role is given access to all CognitoSync
actions and resources. Cognito用户角色可以访问所有CognitoSync
操作和资源。
I have tried all the solutions on Amazon, and Github threads that were even remotely related to my issue here with no luck, as most of them are developer tools and use hard-coded and manually generated access keys for authentication where as I am authenticating users with their Cognito Identity credentials. 我已经尝试了亚马逊上的所有解决方案,以及与我的问题甚至远程相关的Github线程,没有运气,因为大多数是开发人员工具,并使用硬编码和手动生成的访问密钥进行身份验证,我正在验证用户身份使用他们的Cognito身份凭证。
Here's the failing CognitoSync.listDatasets
request: 这是失败的CognitoSync.listDatasets
请求:
Request URL: http://localhost:4400/xhr_proxy?rurl=https%3A//cognito-sync.us-east-1.amazonaws.com/identitypools/us-east-1%253A2bc13d33-35df-4da6-9c18-0e75a887eb38/identities/us-east-1%253A092beff5-9f9d-484f-a757-fc73531b0d2d/datasets
Request Method: GET
Status Code: 403 Forbidden
Remote Address: [::1]:4400
Referrer Policy: no-referrer-when-downgrade
GET /xhr_proxy?rurl=https%3A//cognito-sync.us-east-1.amazonaws.com/identitypools/us-east-1%253A2bc13d33-35df-4da6-9c18-0e75a887eb38/identities/us-east-1%253A992beff5-9f9d-484f-a757-fc73531b0d2d/datasets HTTP/1.1
Host: localhost:4400
Connection: keep-alive
Authorization: AWS4-HMAC-SHA256 Credential=GSIAZFP73J6WBXVLXVGG/20190609/us-east-1/cognito-sync/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-user-agent, Signature=5dfc5e765a9bebc22f31ba76005b177e4283aa22f51194142f6c7b12c7f911e8
Content-Type: application/json
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
x-amz-security-token: AgoGb3JpZ2luEJv...+zy5wU=
X-Amz-Date: 20190609T073401Z
X-Amz-User-Agent: aws-sdk-js/2.471.0 callback
Accept: */*
Referer: http://localhost:4400/index.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
And here's the successful DynamoDB.listTables
request: 这是成功的DynamoDB.listTables
请求:
Request URL: http://localhost:4400/xhr_proxy?rurl=https%3A//dynamodb.us-east-1.amazonaws.com/
Request Method: POST
Status Code: 200 OK
Remote Address: [::1]:4400
Referrer Policy: no-referrer-when-downgrade
POST /xhr_proxy?rurl=https%3A//dynamodb.us-east-1.amazonaws.com/ HTTP/1.1
Host: localhost:4400
Connection: keep-alive
Content-Length: 2
Origin: http://localhost:4400
Authorization: AWS4-HMAC-SHA256 Credential=GSIAZFP73J6WBXVLXVGG/20190609/us-east-1/dynamodb/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-target;x-amz-user-agent, Signature=9ffb9c0c1d32fe18461c6398102c903d3b174f1175a7e628c2f4ca6e6a5ddf24
Content-Type: application/x-amz-json-1.0
X-Amz-Content-Sha256: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
x-amz-security-token: AgoGb3JpZ2luEJv...+zy5wU=
X-Amz-Target: DynamoDB_20120810.ListTables
X-Amz-Date: 20190609T073401Z
X-Amz-User-Agent: aws-sdk-js/2.471.0 callback
Accept: */*
Referer: http://localhost:4400/index.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
And here's a snippet of relative parts of my code: 这是我的代码的相关部分的片段:
let credentials: AWS.CognitoIdentityCredentials = new window.aws.CognitoIdentityCredentials({
IdentityPoolId: Config.awsIdentityPoolId,
Logins: logins,
});
credentials.refresh((err) =>
{
if (err) { reject(err); }
else { resolve(); }
});
// await for credentials promise above to resolve
let params = {
IdentityId: credentials.identityId,
IdentityPoolId: Config.awsIdentityPoolId
}
this.dynamoDB = new window.aws.DynamoDB();
this.dynamoDB.listTables({}, (err, data) =>
{
if (err) { console.log(err); }
else { console.log(data); }
});
this.cognitoSync = new window.aws.CognitoSync();
this.cognitoSync.listDatasets(params, (err, data) =>
{
if (err) { console.log(err); }
else { console.log(data);}
});
I ended up asking my question on the library's github page since I got no answers here. 我最后在图书馆的github页面上问了我的问题,因为我在这里没有答案。 I didn't get answer there either, so I tried to track down the issue in the source code of the lib. 我也没有得到答案,所以我试图在lib的源代码中追查问题。
Turns out that is a library bug, double escaping the url while generating the signature. 原来这是一个库bug,在生成签名时双重转义url。 Here's a link to my solution. 这是我的解决方案的链接。 https://github.com/aws/aws-sdk-js/issues/2706#issuecomment-501125092 https://github.com/aws/aws-sdk-js/issues/2706#issuecomment-501125092
I'll paste the solution here as well in case someone needs a hotfix now. 我会在这里粘贴解决方案,以防有人现在需要修补程序。
I solved the issue by changing the following in v4.js
(or aws-sdk.js
if you're using the distribution) 我通过更改v4.js
的以下内容来解决了这个问题(如果您使用的是分发版, v4.js
aws-sdk.js
)
canonicalString: function canonicalString() {
var parts = [], pathname = this.request.pathname();
if (this.serviceName !== 's3' && this.signatureVersion !== 's3v4') pathname = AWS.util.uriEscapePath(pathname);
parts.push(this.request.method);
parts.push(pathname);
parts.push(this.request.search());
parts.push(this.canonicalHeaders() + '\n');
parts.push(this.signedHeaders());
parts.push(this.hexEncodedBodyHash());
return parts.join('\n');
}
to 至
canonicalString: function canonicalString() {
var parts = [], pathname = this.request.pathname();
if (this.serviceName !== 'cognito-sync' && this.serviceName !== 's3' && this.signatureVersion !== 's3v4') pathname = AWS.util.uriEscapePath(pathname);
parts.push(this.request.method);
parts.push(pathname);
parts.push(this.request.search());
parts.push(this.canonicalHeaders() + '\n');
parts.push(this.signedHeaders());
parts.push(this.hexEncodedBodyHash());
return parts.join('\n');
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.