forked from dansalias/aws_s3_presign
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mod.ts
145 lines (130 loc) · 4.18 KB
/
mod.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
const NEWLINE = '\n'
export interface GetSignedUrlOptions {
path: string
query?: Record<string, string | number>
accessKeyId: string
secretAccessKey: string
sessionToken?: string
method?: 'DELETE' | 'GET' | 'POST' | 'PUT'
region?: string
expiresIn?: number
date?: Date
endpoint?: string
protocol?: 'http' | 'https'
}
export function encodeString(data: string): Uint8Array {
return new TextEncoder().encode(data)
}
function hex(data: ArrayBuffer): string {
return Array
.from(new Uint8Array(data))
.map((x) => x.toString(16).padStart(2, '0'))
.join('')
}
export async function sha256(data: string): Promise<string> {
const digest = await crypto.subtle.digest('SHA-256', encodeString(data))
return hex(digest)
}
async function hmacSha256(keyData: ArrayBuffer, data: string): Promise<ArrayBuffer> {
const algorithm = {
name: 'HMAC',
hash: 'SHA-256'
}
const key = await crypto.subtle.importKey(
'raw',
keyData,
algorithm,
false,
['sign']
)
return crypto.subtle.sign(
algorithm,
key,
encodeString(data)
)
}
export async function hmacSha256Hex(key: ArrayBuffer, data: string): Promise<string> {
const signature = await hmacSha256(key, data)
return hex(signature)
}
function ymd(date: Date): string {
return date.toISOString().substring(0, 10).replace(/[^\d]/g, '')
}
function isoDate(date: Date): string {
return `${date.toISOString().substring(0, 19).replace(/[^\dT]/g, '')}Z`
}
function parseOptions(provided: GetSignedUrlOptions): Required<GetSignedUrlOptions> {
const path = `/${provided.path}`.replace(/\/\//g, '/')
return {
...{
method: 'GET',
region: 'us-east-1',
expiresIn: 86400,
date: new Date(),
sessionToken: '',
endpoint: 's3.amazonaws.com',
query: {},
protocol: 'https'
},
...provided,
path
}
}
function getQueryParameters(options: Required<GetSignedUrlOptions>): URLSearchParams {
return new URLSearchParams({
'X-Amz-Algorithm': 'AWS4-HMAC-SHA256',
'X-Amz-Credential': `${options.accessKeyId}/${ymd(options.date)}/${options.region}/s3/aws4_request`,
'X-Amz-Date': isoDate(options.date),
'X-Amz-Expires': options.expiresIn.toString(),
'X-Amz-SignedHeaders': 'host',
...(options.sessionToken ? {'X-Amz-Security-Token': options.sessionToken} : {}),
...options.query
})
}
function getCanonicalRequest(options: Required<GetSignedUrlOptions>, queryParameters: URLSearchParams): string {
queryParameters.sort()
return [
options.method, NEWLINE,
options.path, NEWLINE,
queryParameters.toString(), NEWLINE,
`host:${options.endpoint}`, NEWLINE,
NEWLINE,
'host', NEWLINE,
'UNSIGNED-PAYLOAD'
].join('')
}
async function getSignaturePayload(options: Required<GetSignedUrlOptions>, payload: string): Promise<string> {
return [
'AWS4-HMAC-SHA256', NEWLINE,
isoDate(options.date), NEWLINE,
`${ymd(options.date)}/${options.region}/s3/aws4_request`, NEWLINE,
await sha256(payload)
].join('')
}
async function getSignatureKey(options: Required<GetSignedUrlOptions>): Promise<ArrayBuffer> {
let key: ArrayBuffer = encodeString(`AWS4${options.secretAccessKey}`)
const components = [
ymd(options.date),
options.region,
's3',
'aws4_request'
]
for (const component of components) {
key = await hmacSha256(key, component)
}
return key
}
function getUrl(options: Required<GetSignedUrlOptions>, queryParameters: URLSearchParams, signature: string): string {
queryParameters.set('X-Amz-Signature', signature)
return `${options.protocol}://${options.endpoint}${options.path}?${new URLSearchParams(queryParameters).toString()}`
}
export async function getSignedUrl(options: GetSignedUrlOptions): Promise<string> {
const parsedOptions = parseOptions(options)
const queryParameters = getQueryParameters(parsedOptions)
const canonicalRequest = getCanonicalRequest(parsedOptions, queryParameters)
const signaturePayload = await getSignaturePayload(parsedOptions, canonicalRequest)
const signatureKey = await getSignatureKey(parsedOptions)
const signature = await hmacSha256Hex(signatureKey, signaturePayload)
const url = getUrl(parsedOptions, queryParameters, signature)
return url
}