From 2d9c5a34ada73c97ff00f0dcacc365f892429c96 Mon Sep 17 00:00:00 2001 From: Nathan Childress <87087328+nathanchildressporsche@users.noreply.github.com> Date: Thu, 16 May 2024 05:19:40 -0500 Subject: [PATCH] re-map authorization header when using secured function urls (#215) --- src/lambdas/sign-fn-url.test.ts | 14 +++++++++++++- src/lambdas/sign-fn-url.ts | 5 +++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/lambdas/sign-fn-url.test.ts b/src/lambdas/sign-fn-url.test.ts index 9e91e03d..c575ef88 100644 --- a/src/lambdas/sign-fn-url.test.ts +++ b/src/lambdas/sign-fn-url.test.ts @@ -8,7 +8,13 @@ describe('LambdaOriginRequestIamAuth', () => { const event = getFakePageRequest(); const request = event.Records[0].cf.request; await signRequest(request); - const securityHeaders = ['x-amz-date', 'x-amz-security-token', 'x-amz-content-sha256', 'authorization']; + const securityHeaders = [ + 'x-amz-date', + 'x-amz-security-token', + 'x-amz-content-sha256', + 'authorization', + 'origin-authorization', + ]; const hasSignedHeaders = securityHeaders.every((h) => h in request.headers); expect(hasSignedHeaders).toBe(true); }); @@ -35,6 +41,12 @@ function getFakePageRequest(): CloudFrontRequestEvent { request: { clientIp: '1.1.1.1', headers: { + authorization: [ + { + key: 'Authorization', + value: 'Bearer token', + }, + ], host: [ { key: 'Host', diff --git a/src/lambdas/sign-fn-url.ts b/src/lambdas/sign-fn-url.ts index f3999a51..fba4b05a 100644 --- a/src/lambdas/sign-fn-url.ts +++ b/src/lambdas/sign-fn-url.ts @@ -109,6 +109,11 @@ export function cfHeadersToHeaderBag(headers: CloudFrontHeaders): Bag { // not destructured) is case sensitive. we arbitrarily use case insensitive key for (const [headerKey, [{ value }]] of Object.entries(headers)) { headerBag[headerKey] = value; + // if there is an authorization from CloudFront, move it as + // it will be overwritten when the headers are signed + if (headerKey === 'authorization') { + headerBag['origin-authorization'] = value; + } } return headerBag; }