getSignedUrl with cname results in SignatureDoesNotMatch error #859
Description
Note that this works fine with I thought it did, but it actually no longer does.v2.
Environment details
- OS: macOS 10.14.6
- Node.js version: v8.16.1
- npm version: 6.4.1
- yarn version: 1.17.3
@google-cloud/storageversion: 3.2.1
Steps to reproduce v2
file.getSignedUrl({
version: 'v2',
action: 'read',
expires: Date.now() + 10000000,
cname: 'https://storage.customhostname.com'
}, (err, url) => {
})With cname, the URL doesn't work in the browser.
However, sending the same request using curl works:
curl 'https://storage.dev.bookcreator.com/data%2Fi4rNhrOGJgNGlzELwesBcVrSfnG2%2Fbooks%2Fqle8FcNGSNGXQGd1EElspA%2Fresources%2FQC5Qdp5gQgeCMw7AQ18nmw.m4a?GoogleAccessId=api-service%40bookcreator-dev.iam.gserviceaccount.com&Expires=1568829600&Signature=oDAGX4myOoD%2F1UrWPhKOhl2WCw09fQ%2FatkJk5C8%2Bvk4FV%2F5t5lj2Kr3EUNUkQc2jm7vMg1X1XGu8y23sTIklW525f6VbJvN7MjHSGSnh317FO%2Fv6lTBVSekmN7CfUY4Bds%2BdcWYj%2FgI%2FjPFqXMsjmr%2Bqs4wYGRZJ0P6%2BiGUgX8WueF%2F0LNdsI44OsZiZ7z%2FR3vXR%2BTzCfRfxOMETAYrn8jjjITMJpQ1UO7PVYc5E0aAAT0URh816T%2BSee%2Fu3UNkD0hUMJbQC6XtiqPsOawHb%2Bi%2FCNr0R7yjYuluKnIuCe51oIBVQdG9iNTBZD8oJFsPtgrMufibXgS2e%2BuJcTPbMww%3D%3D' -Lv > /dev/null
But sending the same user-agent as the browser, causes a 403:
curl 'https://storage.dev.bookcreator.com/data%2Fi4rNhrOGJgNGlzELwesBcVrSfnG2%2Fbooks%2Fqle8FcNGSNGXQGd1EElspA%2Fresources%2FQC5Qdp5gQgeCMw7AQ18nmw.m4a?GoogleAccessId=api-service%40bookcreator-dev.iam.gserviceaccount.com&Expires=1568829600&Signature=oDAGX4myOoD%2F1UrWPhKOhl2WCw09fQ%2FatkJk5C8%2Bvk4FV%2F5t5lj2Kr3EUNUkQc2jm7vMg1X1XGu8y23sTIklW525f6VbJvN7MjHSGSnh317FO%2Fv6lTBVSekmN7CfUY4Bds%2BdcWYj%2FgI%2FjPFqXMsjmr%2Bqs4wYGRZJ0P6%2BiGUgX8WueF%2F0LNdsI44OsZiZ7z%2FR3vXR%2BTzCfRfxOMETAYrn8jjjITMJpQ1UO7PVYc5E0aAAT0URh816T%2BSee%2Fu3UNkD0hUMJbQC6XtiqPsOawHb%2Bi%2FCNr0R7yjYuluKnIuCe51oIBVQdG9iNTBZD8oJFsPtgrMufibXgS2e%2BuJcTPbMww%3D%3D' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36' -Lv > /dev/null
If you change the user-agent to just user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) it also works.
The v2 signing used to work (but unsure when it stopped it stopped working around 1700 yesterday [GMT]).
Steps to reproduce v4
I thought that maybe the legacy (as the docs called it) v2 had been deprecated so tried the v4 and this doesn't work either.
file.getSignedUrl({
version: 'v4',
action: 'read',
expires: Date.now() + 10000000,
cname: 'https://storage.customhostname.com'
}, (err, url) => {
})The URL produced does have the correct host, but on going to the URL you get a SignatureDoesNotMatch error.
Removing the cname results in a working URL.
E.g.: with cname:
Results:
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.
</Message>
<StringToSign>
GOOG4-RSA-SHA256 20190918T143035Z 20190918/auto/storage/goog4_request 75304e5ca664b15a1fbbebca700d83f4fbe48fc7bfe8db70399ce7fbc3ba0b38
</StringToSign>
<CanonicalRequest>
GET /data%2Fi4rNhrOGJgNGlzELwesBcVrSfnG2%2Fbooks%2Fqle8FcNGSNGXQGd1EElspA%2Fresources%2FQC5Qdp5gQgeCMw7AQ18nmw.m4a X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=api-service%40bookcreator-dev.iam.gserviceaccount.com%2F20190918%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20190918T143035Z&X-Goog-Expires=12565&X-Goog-SignedHeaders=host host:storage.dev.bookcreator.com host UNSIGNED-PAYLOAD
</CanonicalRequest>
</Error>