fix(sigv4): Include Host header in signing

Dillon Nys · dnys1 · commit 8dded624f241 · 2022-06-20T14:01:32.000-07:00
commit-id:5e8e08e7
diff --git a/packages/aws_signature_v4/lib/src/configuration/service_configuration.dart b/packages/aws_signature_v4/lib/src/configuration/service_configuration.dart
@@ -164,8 +164,6 @@ class BaseServiceConfiguration extends ServiceConfiguration {
     required AWSCredentials credentials,
   }) {
     queryParameters.addAll({
-      if (!request.headers.containsKey(AWSHeaders.host))
-        AWSHeaders.host: request.host,
       AWSHeaders.date: credentialScope.dateTime.formatFull(),
       AWSHeaders.signedHeaders: signedHeaders.toString(),
       AWSHeaders.algorithm: algorithm.id,
diff --git a/packages/aws_signature_v4/lib/src/request/canonical_request/canonical_request.dart b/packages/aws_signature_v4/lib/src/request/canonical_request/canonical_request.dart
@@ -155,6 +155,11 @@ class CanonicalRequest {
         const BaseServiceConfiguration(),
   }) {
     final headers = Map.of(request.headers);
+    // Include header for signing since it will be included by the HTTP client
+    // of the end user.
+    if (!headers.containsKey(AWSHeaders.host)) {
+      headers[AWSHeaders.host] = request.host;
+    }
     final queryParameters = Map.of(request.queryParameters);
 
     // Per https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
diff --git a/packages/aws_signature_v4/test/canonical_request_test.dart b/packages/aws_signature_v4/test/canonical_request_test.dart
@@ -0,0 +1,48 @@
+import 'package:aws_common/aws_common.dart';
+import 'package:aws_signature_v4/aws_signature_v4.dart';
+import 'package:test/test.dart';
+
+import 'common.dart';
+
+void main() {
+  group('CanonicalRequest', () {
+    test('Host header is always signed', () {
+      final uri = Uri.parse('https://example.com/path');
+      final request = AWSHttpRequest.get(uri);
+
+      final signedRequest = CanonicalRequest(
+        request: request,
+        credentials: dummyCredentials,
+        credentialScope: dummyCredentialScope,
+        contentLength: 0,
+        payloadHash: emptyPayloadHash,
+      );
+      expect(
+        CaseInsensitiveMap(signedRequest.canonicalHeaders),
+        contains(AWSHeaders.host),
+      );
+      expect(
+        CaseInsensitiveSet(signedRequest.signedHeaders),
+        contains(AWSHeaders.host),
+      );
+
+      final presignedRequest = CanonicalRequest.presignedUrl(
+        request: request,
+        credentials: dummyCredentials,
+        credentialScope: dummyCredentialScope,
+        contentLength: 0,
+        payloadHash: emptyPayloadHash,
+        expiresIn: const Duration(seconds: 300),
+        algorithm: AWSAlgorithm.hmacSha256,
+      );
+      expect(
+        CaseInsensitiveMap(presignedRequest.canonicalHeaders),
+        contains(AWSHeaders.host),
+      );
+      expect(
+        CaseInsensitiveSet(presignedRequest.signedHeaders),
+        contains(AWSHeaders.host),
+      );
+    });
+  });
+}
