serverless-sharp icon indicating copy to clipboard operation
serverless-sharp copied to clipboard

Published 20 hours ago verified publisher icon venveo

Invalid security hash issue

Open luminous8 opened this issue 5 years ago • 6 comments

Describe the bug A clear and concise description of what the bug is. Thanks a lot for this great solution, that's exactly what i was looking for (and it's pretty easy to setup). But I'm struggling with the security hash, it doesn't work with all the params (I got the 403 error, Invalid security hash).

For example my code works with theses params: '?h=400&w=700' and the security hash but not with theses ones '?w=400&h=700'. Doesn't really make sense, right?

To Reproduce Here's what my code looks like:

const md5 = require('md5');
const secret = 'mysecret';
const params = '?format&fit=crop&h=400&w=700&q=100&fm=webp&crop=entropy&auto=format';
const query = `screens/${id}/${filename}${params}`;
const encryptedString = md5(`${secret}/${query}`);
const base = 'https://_________.execute-api.eu-west-1.amazonaws.com/dev';
const url = `${base}/${query}&s=${encryptedString}`;

Versions Operating System: Mac os Serverless Sharp: Last one (i've installed it last night)

Thanks!

luminous8 avatar Sep 16 '20 19:09 luminous8

@luminous8 Are you regenerating the security hash for the switched parameter order? Unfortunately, order does matter - so if you change it, the hash will need to be regenerated.

Ideally, the hash wouldn't be dependent on this; however, we're following the Imgix API in order to provide cross-compatibility: https://github.com/imgix/imgix-core-js/blob/main/src/imgix-core-js.js#L109-L144

Mosnar avatar Sep 16 '20 23:09 Mosnar

Yes I'm regenerating it! When you say order, you mean having the width after the height and the quality after the width? I didn't find anything regarding this in the docs.

luminous8 avatar Sep 17 '20 06:09 luminous8

I'm still investigating and it's still pretty weird:

This example works const test = `https://XXXXX.execute-api.eu-west-1.amazonaws.com/dev/__FOLDER__/__FILENAME__.jpg?q=100&w=700&s=${md5(`${secret}/__FOLDER__/__FILENAME__.jpg.jpg?q=100&w=700`)}`;

But this one doesn't const test = `https://XXXXX.execute-api.eu-west-1.amazonaws.com/dev/__FOLDER__/__FILENAME__.jpg?q=100&h=100&w=700&s=${md5(`${secret}/__FOLDER__/__FILENAME__.jpg.jpg?q=100&h=100&w=700`)}`;

My secret key contains some specials characters like (+@)./[;]), could it be related to that?

luminous8 avatar Sep 17 '20 09:09 luminous8

Any clue?

Thanks!

luminous8 avatar Sep 21 '20 12:09 luminous8

I haven't had a huge amount of time to dig into this yet, but I wasn't able to reproduce it locally with Serverless Offline. My suspicion is for some reason the query parameter order is getting mangled by API Gateway prior to sending. I'll do a little more experimentation on API Gateway before making changes though.

Mosnar avatar Sep 21 '20 12:09 Mosnar

Thanks! Let me know if I can help. I've tried another deploy with a "simpler" secret key but without any success

luminous8 avatar Sep 21 '20 20:09 luminous8