fix(storage): use unsigned payload for pre-signed urls

soberm · soberm · commit 29fa5f19a187 · 2025-11-24T14:05:03.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -11,6 +11,7 @@ packages/**/esm/
 packages/**/cjs/
 **/.DS_Store
 .vscode
+.kiro
 .idea
 *.log
 .npm/
diff --git a/packages/core/src/clients/index.ts b/packages/core/src/clients/index.ts
@@ -13,7 +13,10 @@ export {
 	PresignUrlOptions,
 	SignRequestOptions,
 } from './middleware/signing/signer/signatureV4';
-export { EMPTY_HASH as EMPTY_SHA256_HASH } from './middleware/signing/signer/signatureV4/constants';
+export {
+	EMPTY_HASH as EMPTY_SHA256_HASH,
+	UNSIGNED_PAYLOAD,
+} from './middleware/signing/signer/signatureV4/constants';
 export { extendedEncodeURIComponent } from './middleware/signing/utils/extendedEncodeURIComponent';
 export {
 	signingMiddlewareFactory,
diff --git a/packages/storage/__tests__/providers/s3/utils/client/S3/getPresignedGetObjectUrl.test.ts b/packages/storage/__tests__/providers/s3/utils/client/S3/getPresignedGetObjectUrl.test.ts
@@ -1,7 +1,10 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { presignUrl } from '@aws-amplify/core/internals/aws-client-utils';
+import {
+	UNSIGNED_PAYLOAD,
+	presignUrl,
+} from '@aws-amplify/core/internals/aws-client-utils';
 
 import { getPresignedGetObjectUrl } from '../../../../../../src/providers/s3/utils/client/s3data';
 
@@ -110,4 +113,28 @@ describe('serializeGetObjectRequest', () => {
 		);
 		expect(actual.searchParams.get('x-amz-user-agent')).toBe('UA');
 	});
+
+	it('should use UNSIGNED-PAYLOAD for presigned URLs', async () => {
+		mockPresignUrl.mockClear();
+
+		await getPresignedGetObjectUrl(
+			{
+				...defaultConfigWithStaticCredentials,
+				signingRegion: defaultConfigWithStaticCredentials.region,
+				signingService: 's3',
+				expiration: 900,
+			},
+			{
+				Bucket: 'bucket',
+				Key: 'key',
+			},
+		);
+
+		expect(mockPresignUrl).toHaveBeenCalledWith(
+			expect.objectContaining({
+				body: UNSIGNED_PAYLOAD,
+			}),
+			expect.anything(),
+		);
+	});
 });
diff --git a/packages/storage/src/providers/s3/utils/client/s3data/getObject.ts b/packages/storage/src/providers/s3/utils/client/s3data/getObject.ts
@@ -7,6 +7,7 @@ import {
 	HttpRequest,
 	HttpResponse,
 	PresignUrlOptions,
+	UNSIGNED_PAYLOAD,
 	UserAgentOptions,
 	parseMetadata,
 	presignUrl,
@@ -199,7 +200,7 @@ export const getPresignedGetObjectUrl = async (
 	}
 
 	return presignUrl(
-		{ method, url, body: undefined },
+		{ method, url, body: UNSIGNED_PAYLOAD },
 		{
 			signingService: defaultConfig.service,
 			signingRegion: config.region,
