Add support for signed urls

[pch]

Issue #, if available:

#221

Description of changes:

Adds support for HMAC-signed urls to prevent tampering with base64-encoded params.

URLs should be in the following format:

https://<cf-id>.cloudfront.net/<base64-path>--<signature>

Signatures are verified only if SIGNATURE_KEY env var is provided.

How to generate a signature:

const crypto = require('crypto');
const key = "mySecretKey";

const imageRequest = JSON.stringify({
    bucket: "my-bucket",
    key: "image.png",
    edits: {
        grayscale: true
    }
});

const payload = Buffer.from(imageRequest).toString('base64');
const signature = crypto.createHmac('sha1', key).update(payload).digest('hex')

console.log(signature);

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[beomseoklee]

Thanks for your contribution, @pch
Since this is in our backlog item, we'll consider to add this one in the next release.

[abhisheksoni27]

@beomseoklee @georgebearden Any news on this? Since this is a security flaw, can we please prioritize this as first in line ? Maybe even a patch release ?

[abhisheksoni27]

@beomseoklee @georgebearden ? Any updates ?

[beomseoklee]

@abhisheksoni27 Sorry for the delay. We will have a major update soon, but this one is not going to be added at this time. However, we will definitely add security feature to next release or quick patch.

For now, if you want to add this feature to your service, you might need to add the source code by yourself. Once again, we are considering the feature, and I'm sorry for the late delivery.

[abhisheksoni27]

@beomseoklee Thanks for your reply. I hope you guys add something to fix the "open and not secure" nature of cloudfront URLs. Thanks, again. Waiting for the release.

[younes200]

@beomseoklee When the major update is planned ? just to know if we keep @pch solution or wait for the new release.
Thank you

[asaghri]

hello @beomseoklee,
Could you please let us know when you guys plan to do the update ?

We currently use the old thumbor stack with the safe mode activated. As the Python 2.7 lambda runtime will be deprecated in december we need this soon in order the upgrade our stack.
We tried to upgrade the thumbor lambda version in python 3 but it's very complicated with all the dependencies (tornado, etc..) besides the thumbor official release for python 3 is an alpha with many breaking changes. We use this stack with a heavy workload in production.

So please help ! Thank you !

[beomseoklee]

@pch Thanks for your contribution. We've added this one to v5.1.0. However, due to our internal policy, we can't merge yours into the main branch in GitHub. So, we've added your source code to follow our internal policy and released new version v5.1.0. Due to the internal security policy, we couldn't add the secret key to Lambda environment variable, so we've added this feature to use AWS Secrets Manager.

Once again, thanks for your contribution, and you can see the detail in CHNAGELOG and README.

[pch]

@beomseoklee cool, that's great news!

For those looking for the docs on how to implement signatures: https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/considerations.html