fix(middleware-sdk-transcribe-streaming): unsign the non host headers

AllanZhengYP · AllanZhengYP · commit c0bc9cb2096e · 2020-07-07T10:37:51.000-07:00
diff --git a/packages/middleware-sdk-transcribe-streaming/src/signer.spec.ts b/packages/middleware-sdk-transcribe-streaming/src/signer.spec.ts
@@ -0,0 +1,39 @@
+import { SignatureV4 } from "./signer";
+import { HttpRequest } from "@aws-sdk/protocol-http";
+describe("transcribe streaming", () => {
+  describe("WebSocket request signer", () => {
+    it("should invoke base SigV4 signer correctly", async () => {
+      expect.assertions(4);
+      const mockBaseSigner = {
+        presign: jest.fn()
+      };
+      const signer = new SignatureV4({ signer: mockBaseSigner as any });
+      const toSign = new HttpRequest({
+        headers: {
+          "x-amz-foo": "foo",
+          bar: "bar",
+          "amz-sdk-invocation-id": "123",
+          "amz-sdk-request": "attempt=1",
+          host: "aws.amazon.com"
+        },
+        body: "hello world",
+        query: {
+          prop1: "A",
+          prop2: "B"
+        }
+      });
+      const signed = await signer.sign(toSign);
+      expect(toSign).toMatchObject(signed);
+      expect(mockBaseSigner.presign).toBeCalled();
+      // The request's body should not be presigned
+      expect(mockBaseSigner.presign.mock.calls[0][0].body).toEqual("");
+      expect(mockBaseSigner.presign.mock.calls[0][1]!.unsignableHeaders)
+        .toBeDefined;
+      const unsignableHeaders = mockBaseSigner.presign.mock.calls[0][1]!
+        .unsignableHeaders;
+      expect(unsignableHeaders).toEqual(
+        new Set(Object.keys(toSign.headers).filter(a => a !== "host"))
+      );
+    });
+  });
+});
diff --git a/packages/middleware-sdk-transcribe-streaming/src/signer.ts b/packages/middleware-sdk-transcribe-streaming/src/signer.ts
@@ -27,10 +27,20 @@ export class SignatureV4 implements RequestSigner, RequestPresigner {
   ): Promise<IHttpRequest> {
     if (HttpRequest.isInstance(toSign)) {
       // Presign the endpoint url with empty body, otherwise
-      // the payload hash would be UNSINGED_PAYLOAD
-      const signedRequest = await this.signer.presign({ ...toSign, body: "" }, {
-        expiresIn: 5 * 60 // presigned url must be expired within 5 mins
-      } as any);
+      // the payload hash would be UNSINGED-PAYLOAD
+      const signedRequest = await this.signer.presign(
+        { ...toSign, body: "" },
+        {
+          // presigned url must be expired within 5 mins.
+          expiresIn: 5 * 60,
+          // Not to sign headers. Transcribe-streaming WebSocket
+          // request omits headers except for required 'host' header. If we sign
+          // the other headers, the signature could be mismatch.
+          unsignableHeaders: new Set(
+            Object.keys(toSign.headers).filter(header => header !== "host")
+          )
+        }
+      );
       return {
         ...signedRequest,
         body: toSign.body
