signature generation changes

imagekitio · imagekitio · commit ab770302ee3c · 2019-09-16T14:58:40.000+05:30
diff --git a/README.md b/README.md
@@ -78,7 +78,7 @@ The `.url()` method accepts the following parameters
 | transformation   | Optional. An array of objects specifying the transformation to be applied in the URL. The transformation name  and the value should be specified as a key-value pair in the object. Different steps of a [chained transformation](https://docs.imagekit.io/imagekit-docs/chained-transformations) can be specified as different objects of the array. The complete list of supported transformations in the SDK and some examples of using them are given later. If you use a transformation name that is not specified in the SDK, it gets applied as it is in the URL. |
 | transformationPostion | Optional. Default value is `path` that places the transformation string as a path parameter in the URL. Can also be specified as `query` which adds the transformation string as the query parameter `tr` in the URL. If you use `src` parameter to create the URL, then the transformation string is always added as a query parameter. |
 | queryParameters  | Optional. These are the other query parameters that you want to add to the final URL. These can be any query parameters and not necessarily related to ImageKit. Especially useful, if you want to add some versioning parameter to your URLs. |
-| signed           | Optional. Boolean. Default is `false`. If set to `true`, the SDK generates a signed image URL adding the image signature to the image URL. |
+| signed           | Optional. Boolean. Default is `false`. If set to `true`, the SDK generates a signed image URL adding the image signature to the image URL. This can only be used if you are creating the URL with the `urlEndpoint` and `path` parameters, and not with the `src` parameter. |
 | expireSeconds    | Optional. Integer. Meant to be used along with the `signed` parameter to specify the time in seconds from now when the URL should expire. If specified, the URL contains the expiry timestamp in the URL and the image signature is modified accordingly. |
 
 #### Examples of generating URLs
diff --git a/libs/url/builder.js b/libs/url/builder.js
@@ -73,25 +73,37 @@ module.exports.buildURL = function(opts) {
     urlObject.search = queryParameters.toString();
 
     // Signature String and Timestamp
-    if(opts.signed === true) {
+    // We can do this only for URLs that are created using urlEndpoint and path parameter
+    // because we need to know the endpoint to be able to remove it from the URL to create a signature
+    // for the remaining. With the src parameter, we would not know the "pattern" in the URL
+    var expiryTimestamp;
+    if(opts.signed === true && !isSrcParameterUsedForURL) {
         if(opts.expireSeconds) {
-            queryParameters.set(TIMESTAMP_PARAMETER, getSignatureTimestamp(opts.expireSeconds));
-            urlObject.search = queryParameters.toString();
+            expiryTimestamp = getSignatureTimestamp(opts.expireSeconds);
+        } else {
+            expiryTimestamp = DEFAULT_TIMESTAMP;
         }
-    }
 
-    var intermediateURL = url.format(urlObject);
+        var intermediateURL = url.format(urlObject);
+
+        var urlSignature = getSignature({
+            privateKey : opts.privateKey,
+            url : intermediateURL,
+            urlEndpoint : opts.urlEndpoint,
+            expiryTimestamp : expiryTimestamp
+        });
 
-    var urlSignature = getSignature({
-        privateKey : opts.privateKey,
-        url : intermediateURL
-    });
+        if(opts.signed === true) {
+            if(expiryTimestamp && expiryTimestamp != DEFAULT_TIMESTAMP) {
+                queryParameters.set(TIMESTAMP_PARAMETER, expiryTimestamp);
+            }
+            queryParameters.set(SIGNATURE_PARAMETER, urlSignature);
+            urlObject.search = queryParameters.toString();
+        }
 
-    if(opts.signed === true) {
-        queryParameters.set(SIGNATURE_PARAMETER, urlSignature);
-        urlObject.search = queryParameters.toString();
     }
 
+    
     return url.format(urlObject);
 };
 
@@ -147,7 +159,7 @@ function getSignatureTimestamp(seconds) {
 }
 
 function getSignature(opts) {
-    if(!opts.privateKey || !opts.url) return "";
+    if(!opts.privateKey || !opts.url || !opts.urlEndpoint) return "";
 
-    return crypto.createHmac('sha1', opts.privateKey).update(opts.url.replace(PROTOCOL_QUERY, "")).digest('hex');
+    return crypto.createHmac('sha1', opts.privateKey).update(opts.url.replace(opts.urlEndpoint, "") + (opts.expiryTimestamp ? opts.expiryTimestamp : "9999999999")).digest('hex');
 }
