Impossible to verify signature v2 with AWS API Gateway

timtam1 · ‎Nov 24, 2021

Hi,

Unfortnatly API gateway normalises the URL before it hits the lamba function, so the query params are in the wrong order. This makes it impossible to match against the actual URL.

Is there a specific ordering of the URL that we can rely on? I don't mind hard coding, just need to make sure it doesn't change otherwise everything will break.

For example, if you order alphabetically the params before sending, it would at least allow us to deterministically re-construct the URL 😞

Related to this:

https://community.hubspot.com/t5/APIs-Integrations/Unable-to-correctly-validate-v2-request-signature...

Thanks

dennisedson · ‎Jan 4, 2022

@timtam1 ,

I asked the team and their advice presently is to use one of two workarounds

Choose not to verify the requests
Compute hashes for all permutations of ordering of the query params

Eventually, we will have a solution on our end for this, but there is no timeline and I would not expect it to happen soon.

Join us on March 27th at 12 PM for the Digital Essentials Lab, an interactive session designed to redefine your digital strategy!
Engage with expert Jourdan Guyton to gain actionable insights, participate in live Q&A, and learn strategies to boost your business success.
Don't miss this opportunity to connect and grow—reserve your spot today!

View solution in original post

TitiCuisset · ‎Nov 29, 2021

Hi @timtam1

Thank you for reaching out.

I want to tag some of our experts on this - @himanshurauthan @Gonzalo do you have any thoughts for @timtam1 on this?

Thank you!

Best

Tiphaine

Join us on March 27th at 12 PM for the Digital Essentials Lab, an interactive session designed to redefine your digital strategy!
Engage with expert Jourdan Guyton to gain actionable insights, participate in live Q&A, and learn strategies to boost your business success.
Don't miss this opportunity to connect and grow—reserve your spot today!

timtam1 · ‎Dec 22, 2021

Hi, did you get any update on this? Thanks

dennisedson · ‎Jan 4, 2022

@timtam1 ,

I asked the team and their advice presently is to use one of two workarounds

Choose not to verify the requests
Compute hashes for all permutations of ordering of the query params

Eventually, we will have a solution on our end for this, but there is no timeline and I would not expect it to happen soon.

Join us on March 27th at 12 PM for the Digital Essentials Lab, an interactive session designed to redefine your digital strategy!
Engage with expert Jourdan Guyton to gain actionable insights, participate in live Q&A, and learn strategies to boost your business success.
Don't miss this opportunity to connect and grow—reserve your spot today!

timtam1 · ‎May 17, 2022

Hi,

Just wondering if we've had any updates on this? It really isn't ideal to not verify, and we also can't even compute all permuations because we have to replicate the parsing and encoding logic on our side, which is constatly breaking our customers integrations when we run into edge cases.

APIs & Integrations