在大部分代码中,我遵循with this python example provided by AWS,对js/node进行了必要的更改.

import axios from 'axios'
import {createHash, createHmac} from 'crypto'
import moment from 'moment'    
    
async function send() {
    
    const method = 'POST';
    const service = 'execute-api';
    const host = 'fjakldfda.execute-api.us-east-2.amazonaws.com';
    const region = 'us-east-2';

    const base = "https://"

    // POST requests use a content type header. For DynamoDB,
    // the content is JSON.
    const content_type = 'application/json';

    // DynamoDB requires an x-amz-target header that has this format:
    //     DynamoDB_<API version>.<operationName>
    //##...but I don't! Blank this out. 
    const amz_target = '';

    // Request parameters for CreateTable--passed in a JSON block.
    var request_parameters = `{"date":"today","content":"hello"}`

    // Key derivation functions. See:
    // http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html//signature-v4-examples-python
    function sign(key, msg) {
        return createHmac('sha256', key).update(msg).digest('utf-8')
    }

    function getSignatureKey(key, date_stamp, regionName, serviceName) {
        var kDate = sign(('AWS4' + key), date_stamp)
        var kRegion = sign(kDate, regionName)
        var kService = sign(kRegion, serviceName)
        var kSigning = sign(kService, 'aws4_request')
        return kSigning
    }

    // Read AWS access key from env. variables or configuration file. Best practice is NOT
    // to embed credentials in code.
    const access_key = "<CRED>"
    const secret_key = "<CRED>"

    // Create a date for headers and the credential string
    const amz_date = moment().utc().format("yyyyMMDDThhmmss") + "Z"
    const date_stamp =  moment().utc().format("yyyyMMDD")

    // ************* TASK 1: CREATE A CANONICAL REQUEST *************
    // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

    // Step 1 is to define the verb (GET, POST, etc.)--already done.

    // Step 2: Create canonical URI--the part of the URI from domain to query 
    // string (use '/' if no path)
    const canonical_uri = '/prod/events/add-event'

    //// Step 3: Create the canonical query string. In this example, request
    // parameters are passed in the body of the request and the query string
    // is blank.
    const canonical_querystring = ''
    
    //## I am doing step 6 first so that I can include the payload hash in the cannonical header, per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
    // Step 6: Create payload hash. In this example, the payload (body of
    // the request) contains the request parameters.
    const payload_hash = createHash('sha256').update(request_parameters).digest('hex');

    // Step 4: Create the canonical headers. Header names must be trimmed
    // and lowercase, and sorted in code point order from low to high.
    // Note that there is a trailing \n.
    const canonical_headers = 'host:' + host + '\n' + 'x-amz-content-sha256:' + payload_hash + '\n' + 'x-amz-date:' + amz_date + '\n'
    
    // Step 5: Create the list of signed headers. This lists the headers
    // in the canonical_headers list, delimited with ";" and in alpha order.
    // Note: The request can include any headers; canonical_headers and
    // signed_headers include those that you want to be included in the
    // hash of the request. "Host" and "x-amz-date" are always required.
    const signed_headers = 'host;x-amz-content-sha256;x-amz-date'

    // Step 7: Combine elements to create canonical request
    const canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash

    // ************* TASK 2: CREATE THE STRING TO SIGN*************
    // Match the algorithm to the hashing algorithm you use, either SHA-1 or
    // SHA-256 (recommended)
    const algorithm = 'AWS4-HMAC-SHA256'
    const credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request'
    const string_to_sign = algorithm + '\n' +  amz_date + '\n' +  credential_scope + '\n' +  createHash('sha256').update(canonical_request).digest("utf-8")

    // ************* TASK 3: CALCULATE THE SIGNATURE *************
    // Create the signing key using the function defined above.
    const signing_key = getSignatureKey(secret_key, date_stamp, region, service)

    // Sign the string_to_sign using the signing_key
    const signature = "" + createHmac('sha256', signing_key).update(string_to_sign).digest('hex');

    // ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
    // Put the signature information in a header named Authorization.
    const authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' +  'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature

    // For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date",
    // "x-amz-target", "content-type", and "Authorization". Except for the authorization
    // header, the headers must be included in the canonical_headers and signed_headers values, as
    // noted earlier. Order here is not significant.
    const headers = {
        'X-Amz-Content-Sha256':payload_hash, 
        'X-Amz-Date':amz_date,
        'Authorization':authorization_header,
        'Content-Type':content_type
    }

    // ************* SEND THE REQUEST *************
    var response = await axios({
        method: method,
        baseURL: base + host, 
        url: canonical_uri,
        data:request_parameters,
        headers: headers,
    });
    console.log(response)
}

但是,在浏览器中,此方法失败,错误为403: MissingAuthenticationToken.以下是请求的外观:

POST https://fjakldfda.execute-api.us-east-2.amazonaws.com/prod/events/add-event

HEADERS:
  Host: fjakldfda.execute-api.us-east-2.amazonaws.com
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
  Accept: application/json, text/plain, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Content-Type: application/json
  X-Amz-Content-Sha256: <HASH>
  X-Amz-Date: 20220805T035948Z
  Authorization: AWS4-HMAC-SHA256 Credential=<ACCESS_KEY>/20220805/us-east-2/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<SIGNATURE>
  Content-Length: 34
  Origin: http://localhost:3000
  Connection: keep-alive
  Referer: http://localhost:3000/
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: cross-site
DATA:
  {
      "date":"today",
      "content":"hello"
  }'

然而,我可以得到在postman 工作的请求.卷发是这样的:

curl --location --request POST 'https://fjakldfda.execute-api.us-east-2.amazonaws.com/prod/events/add-event' \
--header 'X-Amz-Content-Sha256: <HASH>' \
--header 'X-Amz-Date: 20220805T035948Z' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential=<ACCESS_KEY>/20220805/us-east-2/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<SIGNATURE>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "date":"today",
    "content":"hello"
}'

除了散列之外,所有的标头都匹配,所以我不得不假设我对签名的标头进行散列/编码的方式存在错误.

TL;DR How do you correctly hash/sign a post request with AWS4?

推荐答案

终于拿到手了.我转而使用crypto-js,它起作用了.

import moment from 'moment'
import crypto from 'crypto-js'
import axios, { CancelToken } from "axios"   
    
async function send() {         
    const access_key = "XXXX"
    const secret_key = "XXXX"
    const method = 'POST';
    const service = 'execute-api';
    const host = 'dfadfadfdafda.execute-api.us-east-2.amazonaws.com';
    const region = 'us-east-2';
    const base = "https://"
    const content_type = 'application/json';

    // DynamoDB requires an x-amz-target header that has this format:
    //     DynamoDB_<API version>.<operationName>
    const amz_target = '';

    function getSignatureKey(key, dateStamp, regionName, serviceName) {
        var kDate = crypto.HmacSHA256(dateStamp, "AWS4" + key);
        var kRegion = crypto.HmacSHA256(regionName, kDate);
        var kService = crypto.HmacSHA256(serviceName, kRegion);
        var kSigning = crypto.HmacSHA256("aws4_request", kService);
        return kSigning;
    }

    // ************* TASK 1: CREATE A CANONICAL REQUEST *************
    // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

    // Step 1 is to define the verb (GET, POST, etc.)--already done.

    // Step 2: Create canonical URI--the part of the URI from domain to query 
    // string (use '/' if no path)
    // Create a date for headers and the credential string
    const amz_date = moment().utc().format("yyyyMMDDThhmmss") + "Z"
    const date_stamp =  moment().utc().format("yyyyMMDD")

    //// Step 3: Create the canonical query string. In this example, request
    // parameters are passed in the body of the request and the query string
    // is blank.
    const canonical_querystring = ''

    //## DOing step 6 first so that I can include the payload hash in the cannonical header, per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
    // Step 6: Create payload hash. In this example, the payload (body of
    // the request) contains the request parameters.
    //const payload_hash = hashlib.sha256(request_parameters.encode('utf-8')).hexdigest()
    const payload_hash = crypto.SHA256(request_parameters);

    // Step 4: Create the canonical headers. Header names must be trimmed
    // and lowercase, and sorted in code point order from low to high.
    // Note that there is a trailing \n.
    const canonical_headers = 'host:' + host + '\n' + 'x-amz-content-sha256:' + payload_hash + '\n' + 'x-amz-date:' + amz_date + '\n'
    
    // Step 5: Create the list of signed headers. This lists the headers
    // in the canonical_headers list, delimited with ";" and in alpha order.
    // Note: The request can include any headers; canonical_headers and
    // signed_headers include those that you want to be included in the
    // hash of the request. "Host" and "x-amz-date" are always required.
    const signed_headers = 'host;x-amz-content-sha256;x-amz-date'

    // Step 7: Combine elements to create canonical request
    const canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash

    // ************* TASK 2: CREATE THE STRING TO SIGN*************
    // Match the algorithm to the hashing algorithm you use, either SHA-1 or
    // SHA-256 (recommended)
    const algorithm = 'AWS4-HMAC-SHA256'
    const credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request'
    const string_to_sign = algorithm + '\n' +  amz_date + '\n' +  credential_scope + '\n' +  crypto.SHA256(canonical_request);

    // ************* TASK 3: CALCULATE THE SIGNATURE *************
    // Create the signing key using the function defined above.
    const signing_key = getSignatureKey(secret_key, date_stamp, region, service)

    // Sign the string_to_sign using the signing_key
    const signature = crypto.HmacSHA256(string_to_sign, signing_key);
    // ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
    // Put the signature information in a header named Authorization.
    const authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' +  'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature

    // For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date",
    // "x-amz-target", "content-type", and "Authorization". Except for the authorization
    // header, the headers must be included in the canonical_headers and signed_headers values, as
    // noted earlier. Order here is not significant.
    const headers = {
        'X-Amz-Content-Sha256':payload_hash, 
        'X-Amz-Date':amz_date,
        //'X-Amz-Target':amz_target,
        'Authorization':authorization_header,
        'Content-Type':content_type
    }

    // ************* SEND THE REQUEST *************
    var response = await axios({
        method: method,
        baseURL: base + host, 
        url: canonical_uri,
        data:request_parameters,
        headers: headers,
    });
    console.log(response)
}

Javascript相关问答推荐

如何使onPaste事件与可拖动的HTML元素一起工作?

根据一个条件,如何从处理过的数组中移除一项并将其移动到另一个数组?

如何限制显示在分页中的可见页面的数量

如何在和IF语句中使用||和&;&;?

FileReader()不能处理Firefox和GiB文件

bootstrap S JS赢得了REACT中的函数/加载

我在哪里添加过滤器值到这个函数?

从异步操作返回对象

Django模板中未加载JavaScript函数

如何在Highlihte.js代码区旁边添加行号?

KeyboardEvent:检测到键具有打印的表示形式

使用JavaScript或PHP从div ID值创建锚标记和链接

响应,Use Callback更新状态变量,该变量也存在于其依赖数组中,它如何防止无限重新呈现?

Oracle APEX-如何调用Java脚本函数

Qualtrics联合实验脚本随机化条件

JSdiscord机器人为什么不工作前缀?如何决定与discord机器人的问题?

如何循环通过一个参数的键,该参数可以是TypeScrip中三个不同接口之一?

在继续循环之前,请等待带有异步调用的函数完成

使用Video.play()时,视频显示白屏

通过webContent发送数据时的空对象.发送