Wildcard url for v3?

[idwalkill]

Hello ,

I'm trying to move to v3 and I don't know how to create a cloudfront wildcard url.
It's working correctly in v2.
The documentation is only shows the non wildcard solution.
Can anyone help me migrate please if possible

let cfUrl = "xxxx.cloudfront.net";
let expiry = 1698383375;

let policy = {
    'Statement': [{
        'Resource': 'http*://' + cfUrl + '/*',
        'Condition': {
            'DateLessThan': {'AWS:EpochTime': expiry}
        }
    }]
};

let policyString = JSON.stringify(policy);

let signer = new AWS.CloudFront.Signer(keyPairId, privateKey);

var options = {url: "http://"+cfUrl, policy: policyString};

signer.getSignedCookie(options, function(err, cookie) {
    if (err) {
        console.log("error");
    } else {
        console.log(cookie);
    }
});

[PWadeDev]

how is there nothing happening on this topic?
Package is unusable without having wildcard for signed cookies

[RanVaknin]

Hi @PWadeDev @idwalkill,

Can you try this?

import { getSignedCookies } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedCookies } = require("@aws-sdk/cloudfront-signer"); // CJS

const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01";

+const policy = {
+    'Statement': [{
+        'Resource': cloudfrontDistributionDomain + '/*',
+      'Condition': {
+            'DateLessThan': {'AWS:EpochTime': expiry}
+      }
+   }]
+};

const cookies = getSignedCookies({
  url,
  keyPairId,
  dateLessThan,
  privateKey,
+ policy
});

[dathmart]

@RanVaknin I don't quite follow the logic in your suggestion here. Your example specifies an absolute path for a resource in url (i.e., "${cloudfrontDistributionDomain}/${s3ObjectKey}" yet also a wildcard path for policy.Statement.Resource (i.e., "cloudfrontDistributionDomain + '/*' ". Should these two values not conflict?

Additionally, the argument to getSignedCookies(), i.e. CloudfrontSignInput, does not allow "policy" and "dateLessThan" to be assigned simultaneously.

[RanVaknin]

@dathmart ,

Apologies if the comment didn't make sense, I'm just going off of documentation and general understanding of the package. Since replicating this behavior requires setting up a distribution and resource it's not so straight forward to debug.

I'll need some more time to do a deep dive to what seems to be the issue.

Thanks,
Ran~

[greebl3]

Hi @RanVaknin, did you ever get more insight into the signing issue? It seems to still be present on 3.451.0, even without wildcards in the resource.

[Ninjef]

@idwalkill This is working for me. I'm on 3.523.0

import { getSignedCookies } from "@aws-sdk/cloudfront-signer";
import axios from "axios";

const imagePath = "https://<distribution-domain-name>/f59fa716-6fd4-45c0-9b15-3eb9a27905c9/*"
const reqImagePath = "https://<distribution-domain-name>/f59fa716-6fd4-45c0-9b15-3eb9a27905c9/assets/ef7841d9-8099-483c-be9c-df04a0703178/images/0/header.jpg"
const shouldFailImagePath = "https://<distribution-domain-name>/0fa13f3a-137b-4ab9-94f0-d514c23da606/assets/549987c6-a86a-4534-b827-ffb76df78b98/images/0/convertedOriginal.jpg"

const privateKey = process.env.CDN_PRIVATE_KEY || ''
const cdnPubKeyId = process.env.CDN_PUB_KEY_ID || ''

const expiration = Math.round(Number(new Date(Date.now() + 1000 * 60 * 60))/1000)
const policy = {
  "Statement": [
      {
          "Resource": imagePath,
          "Condition": {
              "DateLessThan": {
                  "AWS:EpochTime": expiration
              }
          }
      }
  ]
}

const cookies = getSignedCookies(
  {
    url: imagePath,
    privateKey,
    keyPairId: cdnPubKeyId,
    policy: JSON.stringify(policy)
  }
)

const cookiesClause = Object.keys(cookies).map(key => `${key}=${cookies[key]}`).join(';')

axios.get(reqImagePath, {
  headers: {
    'Cookie': cookiesClause
  }
}).then(response => {
  console.log('first request:', response.status)
  axios.get(shouldFailImagePath, {
    headers: {
      'Cookie': cookiesClause
    }
  }).then(response => {
    console.log('second request:', response.status)
  }).catch(error => {
    console.log('second request:', error.response.status)
  })

}).catch(error => {
  console.log('first request: failed', error.response.status)
})

output:

first request: 200
second request: 403

[fdaugan]

To make it works, follow the v3 documentation :

• Use custom policy. Canned policy does not suits to wildcard URL usage
• Provide the URL having wildcard only in the Resource policy and not in the url JSON property of getSignedCookies parameter.

My working exemple:

async function getSignedCloudfrontCookies(url, ttl = 300) {
    const policy = {
        Statement: [{
            Resource: url,
            Condition: {
                DateLessThan: {
                    "AWS:EpochTime": Math.round(new Date().getTime() / 1000 + ttl), // time in seconds
                },
            },
        }]
    };

    return getSignedCookies({
        keyPairId: CLOUDFRONT_PUBLIC_KEY_ID,
        privateKey: CLOUDFRONT_PRIVATE_KEY,
        policy: JSON.stringify(policy)
    });
}

const cfCookies = await getSignedCloudfrontCookies('https://xxxx.cloudfront.net/private/*.zip');
// Set Cookies....