Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MalformedSecurityHeader #7

Closed
danieldocki opened this issue May 14, 2020 · 10 comments
Closed

MalformedSecurityHeader #7

danieldocki opened this issue May 14, 2020 · 10 comments

Comments

@danieldocki
Copy link

danieldocki commented May 14, 2020
edited

I got this error, V2 API

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>MalformedSecurityHeader</Code>
<Message>Your request has a malformed header.</Message>
<ParameterName>signature</ParameterName>
<Details>Signature was not base64 encoded</Details>
</Error>
@mruoss
Copy link
Collaborator

mruoss commented May 14, 2020
edited

Hi @danieldocki

What did you pass to the generate() funciton, a %GcsSignedUrl.Client{} or %GcsSignedUrl.SignBlob.OAuthConfig{} object?

@danieldocki
Copy link
Author

danieldocki commented May 14, 2020
edited 

defmodule App.Storage do
  @bucket "my-bucket"

  def url(%{key: key, checksum: checkum, content_type: content_type}) do
    GcsSignedUrl.generate(
      client(),
      @bucket,
      key,
      verb: "GET",
      md5_digest: checkum,
      content_type: content_type,
      expires: GcsSignedUrl.hours_after(3)
    )
  end

  defp client do
    "./config/gcs.json"
    |> Path.expand()
    |> File.read!()
    |> Poison.decode!()
    |> GcsSignedUrl.Client.load()
  end
end

@mruoss
Copy link
Collaborator

mruoss commented May 14, 2020

Version 0.4.0 of gcs_signed_url?

@danieldocki
Copy link
Author

Yes!

@mruoss
Copy link
Collaborator

mruoss commented May 14, 2020

Strange! I just ran the exact same code as you, the resulting URL works. What elixir / erlang versions are you on? But then again the error says the signature was not base64 encoded and I don't see this being changed between versions. Is it possible the URL gets changed after generating? escaped, some chars missing?

@danieldocki
Copy link
Author

What elixir / erlang versions are you on?

❯ elixir -v
Erlang/OTP 22 [erts-10.6.4] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [hipe]

Elixir 1.10.1 (compiled with Erlang/OTP 22)

This is one of the generated URL's

https://storage.googleapis.com/deliveryvip/8w28c777c1vafqpmhkrqwhzf6m9p?Expires=1589474503&GoogleAccessId=deliveryvip%40deliveryvip-208318.iam.gserviceaccount.com&Signature=GFMgGpENQba23aTreJ2l3gsIjNWZjbs4HtMlTE+4eqmaZvhpwvcy1O68MIRHN8uaYNn0USdVAL0sdGu7EfvgPfM7NDz48Y+d7JUvZ+NzIjRRBa/9cvasn28awoRTwnU6SZgo6Lyv3Lsyt5GMGq6nPmxJNXROVh8YhIg4WmBxrUyevQzwuIGzNu87R4Wnqx+wLQmNf99IdA3YcWESAvKaseEOQhDJIsB7e0D6h5/ueHTW55OUiOgOPeIAWjxYWOVmVYCeV38QPn4R+VJjm/PzISBZpgkpsryUFA181ZC6RBmd4hM3mXXC/ogo9ftRnb/FGhVi10z9MHzv7J6HvcgVdA==

@mruoss
Copy link
Collaborator

mruoss commented May 14, 2020

So I'm using CURL to make a request to the URL you generated. Obviously I don't know the correct values for the two headers content-md5 and content-type. But here's what I get:

curl --request GET \
  --url 'https://storage.googleapis.com/deliveryvip/8w28c777c1vafqpmhkrqwhzf6m9p?Expires=1589474503&GoogleAccessId=deliveryvip%40deliveryvip-208318.iam.gserviceaccount.com&Signature=GFMgGpENQba23aTreJ2l3gsIjNWZjbs4HtMlTE%2B4eqmaZvhpwvcy1O68MIRHN8uaYNn0USdVAL0sdGu7EfvgPfM7NDz48Y%2Bd7JUvZ%2BNzIjRRBa%2F9cvasn28awoRTwnU6SZgo6Lyv3Lsyt5GMGq6nPmxJNXROVh8YhIg4WmBxrUyevQzwuIGzNu87R4Wnqx%2BwLQmNf99IdA3YcWESAvKaseEOQhDJIsB7e0D6h5%2FueHTW55OUiOgOPeIAWjxYWOVmVYCeV38QPn4R%2BVJjm%2FPzISBZpgkpsryUFA181ZC6RBmd4hM3mXXC%2Fogo9ftRnb%2FFGhVi10z9MHzv7J6HvcgVdA%3D%3D' \
  --header 'content-md5: ioBVTJHZ/KisuC8CPeAvEQ==' \
  --header 'content-type: application/json'

Response:

<?xml version='1.0' encoding='UTF-8'?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message><StringToSign>GET
ioBVTJHZ/KisuC8CPeAvEQ==
application/json
1589474503
/deliveryvip/8w28c777c1vafqpmhkrqwhzf6m9p</StringToSign></Error>

This is what I would expect with wrong headers...

@danieldocki
Copy link
Author

Thanks, I will search the error. But the gcs.json is correct because I using it in a rails app and is working.

Thank's for your time

@mruoss
Copy link
Collaborator

mruoss commented May 14, 2020

Yeah no, the URL you get seems correct. Try my CURL command and replace the content-md5 and content-type headers with the correct ones to check.

@mruoss
Copy link
Collaborator

mruoss commented May 14, 2020

I'm gonna close this if there are no further questions.

@mruoss mruoss closed this as completed May 14, 2020
syamilmj added a commit to syamilmj/gcs_signed_url that referenced this issue Dec 16, 2020
@syamilmj
Fix signature encoding
e86221e 
It seems that GCP requires percent encoding for characters such as `+`
and `/`, or otherwise the request will fail with a complaint that
the Signature was not base64 encoded.

Related issue: alexandrubagu#7
@syamilmj syamilmj mentioned this issue Dec 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danieldocki @mruoss