Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid security hash issue #82

Open
luminous8 opened this issue Sep 16, 2020 · 6 comments
Open

Invalid security hash issue #82

luminous8 opened this issue Sep 16, 2020 · 6 comments

Comments

@luminous8
Copy link

luminous8 commented Sep 16, 2020
edited
Loading

Describe the bug
A clear and concise description of what the bug is.
Thanks a lot for this great solution, that's exactly what i was looking for (and it's pretty easy to setup).
But I'm struggling with the security hash, it doesn't work with all the params (I got the 403 error, Invalid security hash).

For example my code works with theses params:
'?h=400&w=700' and the security hash but not with theses ones '?w=400&h=700'. Doesn't really make sense, right?

To Reproduce
Here's what my code looks like:

const md5 = require('md5');
const secret = 'mysecret';
const params = '?format&fit=crop&h=400&w=700&q=100&fm=webp&crop=entropy&auto=format';
const query = `screens/${id}/${filename}${params}`;
const encryptedString = md5(`${secret}/${query}`);
const base = 'https://_________.execute-api.eu-west-1.amazonaws.com/dev';
const url = `${base}/${query}&s=${encryptedString}`;

Versions
Operating System: Mac os
Serverless Sharp: Last one (i've installed it last night)

Thanks!
@Mosnar
Copy link
Collaborator

Mosnar commented Sep 16, 2020

@luminous8 Are you regenerating the security hash for the switched parameter order? Unfortunately, order does matter - so if you change it, the hash will need to be regenerated.

Ideally, the hash wouldn't be dependent on this; however, we're following the Imgix API in order to provide cross-compatibility:
https://github.com/imgix/imgix-core-js/blob/main/src/imgix-core-js.js#L109-L144

@luminous8
Copy link
Author

Yes I'm regenerating it!
When you say order, you mean having the width after the height and the quality after the width?
I didn't find anything regarding this in the docs.

@luminous8
Copy link
Author

luminous8 commented Sep 17, 2020
edited
Loading

I'm still investigating and it's still pretty weird:

This example works
const test = `https://XXXXX.execute-api.eu-west-1.amazonaws.com/dev/__FOLDER__/__FILENAME__.jpg?q=100&w=700&s=${md5(`${secret}/__FOLDER__/__FILENAME__.jpg.jpg?q=100&w=700`)}`;

But this one doesn't
const test = `https://XXXXX.execute-api.eu-west-1.amazonaws.com/dev/__FOLDER__/__FILENAME__.jpg?q=100&h=100&w=700&s=${md5(`${secret}/__FOLDER__/__FILENAME__.jpg.jpg?q=100&h=100&w=700`)}`;

My secret key contains some specials characters like (+@)./[;]), could it be related to that?

@luminous8
Copy link
Author

Any clue?

Thanks!

@Mosnar
Copy link
Collaborator

Mosnar commented Sep 21, 2020

I haven't had a huge amount of time to dig into this yet, but I wasn't able to reproduce it locally with Serverless Offline. My suspicion is for some reason the query parameter order is getting mangled by API Gateway prior to sending. I'll do a little more experimentation on API Gateway before making changes though.

@luminous8
Copy link
Author

Thanks! Let me know if I can help.
I've tried another deploy with a "simpler" secret key but without any success

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mosnar @luminous8