* Builds SigV4 request headers for an S3 REST call. * * `canonicalQueryString` must be the already-sorted, percent-encoded query * string (empty for GetObject) — the caller builds the request URL from this * exact same string so the signed query and the wire query are byte-identical * (the clas
( ctx: S3Context, method: 'GET', encodedPath: string, canonicalQueryString: string )
| 280 | * RequestTimeTooSkewed. |
| 281 | */ |
| 282 | function buildSignedHeaders( |
| 283 | ctx: S3Context, |
| 284 | method: 'GET', |
| 285 | encodedPath: string, |
| 286 | canonicalQueryString: string |
| 287 | ): Record<string, string> { |
| 288 | const date = new Date() |
| 289 | const amzDate = date.toISOString().replace(/[:-]|\.\d{3}/g, '') |
| 290 | const dateStamp = amzDate.slice(0, 8) |
| 291 | |
| 292 | const host = resolveHost(ctx) |
| 293 | const payloadHash = crypto.createHash('sha256').update('').digest('hex') |
| 294 | |
| 295 | const canonicalHeaders = |
| 296 | `host:${host}\n` + `x-amz-content-sha256:${payloadHash}\n` + `x-amz-date:${amzDate}\n` |
| 297 | const signedHeaders = 'host;x-amz-content-sha256;x-amz-date' |
| 298 | |
| 299 | const canonicalRequest = `${method}\n${encodedPath}\n${canonicalQueryString}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}` |
| 300 | |
| 301 | const algorithm = 'AWS4-HMAC-SHA256' |
| 302 | const credentialScope = `${dateStamp}/${ctx.region}/s3/aws4_request` |
| 303 | const stringToSign = `${algorithm}\n${amzDate}\n${credentialScope}\n${crypto |
| 304 | .createHash('sha256') |
| 305 | .update(canonicalRequest) |
| 306 | .digest('hex')}` |
| 307 | |
| 308 | const signingKey = getSignatureKey(ctx.secretAccessKey, dateStamp, ctx.region, 's3') |
| 309 | const signature = crypto.createHmac('sha256', signingKey).update(stringToSign).digest('hex') |
| 310 | |
| 311 | const authorizationHeader = `${algorithm} Credential=${ctx.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}` |
| 312 | |
| 313 | return { |
| 314 | Host: host, |
| 315 | 'X-Amz-Content-Sha256': payloadHash, |
| 316 | 'X-Amz-Date': amzDate, |
| 317 | Authorization: authorizationHeader, |
| 318 | } |
| 319 | } |
| 320 | |
| 321 | /** |
| 322 | * Percent-encodes a query parameter name or value per AWS SigV4 canonical rules |
no test coverage detected