var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; var __getOwnPropNames = Object.getOwnPropertyNames; var __hasOwnProp = Object.prototype.hasOwnProperty; var __name = (target, value) => __defProp(target, "name", { value, configurable: true }); var __export = (target, all) => { for (var name in all) __defProp(target, name, { get: all[name], enumerable: true }); }; var __copyProps = (to, from, except, desc) => { if (from && typeof from === "object" || typeof from === "function") { for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); } return to; }; var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); // src/index.ts var src_exports = {}; __export(src_exports, { SignatureV4: () => SignatureV4, clearCredentialCache: () => clearCredentialCache, createScope: () => createScope, getCanonicalHeaders: () => getCanonicalHeaders, getCanonicalQuery: () => getCanonicalQuery, getPayloadHash: () => getPayloadHash, getSigningKey: () => getSigningKey, moveHeadersToQuery: () => moveHeadersToQuery, prepareRequest: () => prepareRequest }); module.exports = __toCommonJS(src_exports); // src/SignatureV4.ts var import_util_middleware = require("@smithy/util-middleware"); var import_util_utf84 = require("@smithy/util-utf8"); // src/constants.ts var ALGORITHM_QUERY_PARAM = "X-Amz-Algorithm"; var CREDENTIAL_QUERY_PARAM = "X-Amz-Credential"; var AMZ_DATE_QUERY_PARAM = "X-Amz-Date"; var SIGNED_HEADERS_QUERY_PARAM = "X-Amz-SignedHeaders"; var EXPIRES_QUERY_PARAM = "X-Amz-Expires"; var SIGNATURE_QUERY_PARAM = "X-Amz-Signature"; var TOKEN_QUERY_PARAM = "X-Amz-Security-Token"; var AUTH_HEADER = "authorization"; var AMZ_DATE_HEADER = AMZ_DATE_QUERY_PARAM.toLowerCase(); var DATE_HEADER = "date"; var GENERATED_HEADERS = [AUTH_HEADER, AMZ_DATE_HEADER, DATE_HEADER]; var SIGNATURE_HEADER = SIGNATURE_QUERY_PARAM.toLowerCase(); var SHA256_HEADER = "x-amz-content-sha256"; var TOKEN_HEADER = TOKEN_QUERY_PARAM.toLowerCase(); var ALWAYS_UNSIGNABLE_HEADERS = { authorization: true, "cache-control": true, connection: true, expect: true, from: true, "keep-alive": true, "max-forwards": true, pragma: true, referer: true, te: true, trailer: true, "transfer-encoding": true, upgrade: true, "user-agent": true, "x-amzn-trace-id": true }; var PROXY_HEADER_PATTERN = /^proxy-/; var SEC_HEADER_PATTERN = /^sec-/; var ALGORITHM_IDENTIFIER = "AWS4-HMAC-SHA256"; var EVENT_ALGORITHM_IDENTIFIER = "AWS4-HMAC-SHA256-PAYLOAD"; var UNSIGNED_PAYLOAD = "UNSIGNED-PAYLOAD"; var MAX_CACHE_SIZE = 50; var KEY_TYPE_IDENTIFIER = "aws4_request"; var MAX_PRESIGNED_TTL = 60 * 60 * 24 * 7; // src/credentialDerivation.ts var import_util_hex_encoding = require("@smithy/util-hex-encoding"); var import_util_utf8 = require("@smithy/util-utf8"); var signingKeyCache = {}; var cacheQueue = []; var createScope = /* @__PURE__ */ __name((shortDate, region, service) => `${shortDate}/${region}/${service}/${KEY_TYPE_IDENTIFIER}`, "createScope"); var getSigningKey = /* @__PURE__ */ __name(async (sha256Constructor, credentials, shortDate, region, service) => { const credsHash = await hmac(sha256Constructor, credentials.secretAccessKey, credentials.accessKeyId); const cacheKey = `${shortDate}:${region}:${service}:${(0, import_util_hex_encoding.toHex)(credsHash)}:${credentials.sessionToken}`; if (cacheKey in signingKeyCache) { return signingKeyCache[cacheKey]; } cacheQueue.push(cacheKey); while (cacheQueue.length > MAX_CACHE_SIZE) { delete signingKeyCache[cacheQueue.shift()]; } let key = `AWS4${credentials.secretAccessKey}`; for (const signable of [shortDate, region, service, KEY_TYPE_IDENTIFIER]) { key = await hmac(sha256Constructor, key, signable); } return signingKeyCache[cacheKey] = key; }, "getSigningKey"); var clearCredentialCache = /* @__PURE__ */ __name(() => { cacheQueue.length = 0; Object.keys(signingKeyCache).forEach((cacheKey) => { delete signingKeyCache[cacheKey]; }); }, "clearCredentialCache"); var hmac = /* @__PURE__ */ __name((ctor, secret, data) => { const hash = new ctor(secret); hash.update((0, import_util_utf8.toUint8Array)(data)); return hash.digest(); }, "hmac"); // src/getCanonicalHeaders.ts var getCanonicalHeaders = /* @__PURE__ */ __name(({ headers }, unsignableHeaders, signableHeaders) => { const canonical = {}; for (const headerName of Object.keys(headers).sort()) { if (headers[headerName] == void 0) { continue; } const canonicalHeaderName = headerName.toLowerCase(); if (canonicalHeaderName in ALWAYS_UNSIGNABLE_HEADERS || (unsignableHeaders == null ? void 0 : unsignableHeaders.has(canonicalHeaderName)) || PROXY_HEADER_PATTERN.test(canonicalHeaderName) || SEC_HEADER_PATTERN.test(canonicalHeaderName)) { if (!signableHeaders || signableHeaders && !signableHeaders.has(canonicalHeaderName)) { continue; } } canonical[canonicalHeaderName] = headers[headerName].trim().replace(/\s+/g, " "); } return canonical; }, "getCanonicalHeaders"); // src/getCanonicalQuery.ts var import_util_uri_escape = require("@smithy/util-uri-escape"); var getCanonicalQuery = /* @__PURE__ */ __name(({ query = {} }) => { const keys = []; const serialized = {}; for (const key of Object.keys(query).sort()) { if (key.toLowerCase() === SIGNATURE_HEADER) { continue; } keys.push(key); const value = query[key]; if (typeof value === "string") { serialized[key] = `${(0, import_util_uri_escape.escapeUri)(key)}=${(0, import_util_uri_escape.escapeUri)(value)}`; } else if (Array.isArray(value)) { serialized[key] = value.slice(0).reduce( (encoded, value2) => encoded.concat([`${(0, import_util_uri_escape.escapeUri)(key)}=${(0, import_util_uri_escape.escapeUri)(value2)}`]), [] ).sort().join("&"); } } return keys.map((key) => serialized[key]).filter((serialized2) => serialized2).join("&"); }, "getCanonicalQuery"); // src/getPayloadHash.ts var import_is_array_buffer = require("@smithy/is-array-buffer"); var import_util_utf82 = require("@smithy/util-utf8"); var getPayloadHash = /* @__PURE__ */ __name(async ({ headers, body }, hashConstructor) => { for (const headerName of Object.keys(headers)) { if (headerName.toLowerCase() === SHA256_HEADER) { return headers[headerName]; } } if (body == void 0) { return "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; } else if (typeof body === "string" || ArrayBuffer.isView(body) || (0, import_is_array_buffer.isArrayBuffer)(body)) { const hashCtor = new hashConstructor(); hashCtor.update((0, import_util_utf82.toUint8Array)(body)); return (0, import_util_hex_encoding.toHex)(await hashCtor.digest()); } return UNSIGNED_PAYLOAD; }, "getPayloadHash"); // src/HeaderFormatter.ts var import_util_utf83 = require("@smithy/util-utf8"); var _HeaderFormatter = class _HeaderFormatter { format(headers) { const chunks = []; for (const headerName of Object.keys(headers)) { const bytes = (0, import_util_utf83.fromUtf8)(headerName); chunks.push(Uint8Array.from([bytes.byteLength]), bytes, this.formatHeaderValue(headers[headerName])); } const out = new Uint8Array(chunks.reduce((carry, bytes) => carry + bytes.byteLength, 0)); let position = 0; for (const chunk of chunks) { out.set(chunk, position); position += chunk.byteLength; } return out; } formatHeaderValue(header) { switch (header.type) { case "boolean": return Uint8Array.from([header.value ? 0 /* boolTrue */ : 1 /* boolFalse */]); case "byte": return Uint8Array.from([2 /* byte */, header.value]); case "short": const shortView = new DataView(new ArrayBuffer(3)); shortView.setUint8(0, 3 /* short */); shortView.setInt16(1, header.value, false); return new Uint8Array(shortView.buffer); case "integer": const intView = new DataView(new ArrayBuffer(5)); intView.setUint8(0, 4 /* integer */); intView.setInt32(1, header.value, false); return new Uint8Array(intView.buffer); case "long": const longBytes = new Uint8Array(9); longBytes[0] = 5 /* long */; longBytes.set(header.value.bytes, 1); return longBytes; case "binary": const binView = new DataView(new ArrayBuffer(3 + header.value.byteLength)); binView.setUint8(0, 6 /* byteArray */); binView.setUint16(1, header.value.byteLength, false); const binBytes = new Uint8Array(binView.buffer); binBytes.set(header.value, 3); return binBytes; case "string": const utf8Bytes = (0, import_util_utf83.fromUtf8)(header.value); const strView = new DataView(new ArrayBuffer(3 + utf8Bytes.byteLength)); strView.setUint8(0, 7 /* string */); strView.setUint16(1, utf8Bytes.byteLength, false); const strBytes = new Uint8Array(strView.buffer); strBytes.set(utf8Bytes, 3); return strBytes; case "timestamp": const tsBytes = new Uint8Array(9); tsBytes[0] = 8 /* timestamp */; tsBytes.set(Int64.fromNumber(header.value.valueOf()).bytes, 1); return tsBytes; case "uuid": if (!UUID_PATTERN.test(header.value)) { throw new Error(`Invalid UUID received: ${header.value}`); } const uuidBytes = new Uint8Array(17); uuidBytes[0] = 9 /* uuid */; uuidBytes.set((0, import_util_hex_encoding.fromHex)(header.value.replace(/\-/g, "")), 1); return uuidBytes; } } }; __name(_HeaderFormatter, "HeaderFormatter"); var HeaderFormatter = _HeaderFormatter; var UUID_PATTERN = /^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/; var _Int64 = class _Int64 { constructor(bytes) { this.bytes = bytes; if (bytes.byteLength !== 8) { throw new Error("Int64 buffers must be exactly 8 bytes"); } } static fromNumber(number) { if (number > 9223372036854776e3 || number < -9223372036854776e3) { throw new Error(`${number} is too large (or, if negative, too small) to represent as an Int64`); } const bytes = new Uint8Array(8); for (let i = 7, remaining = Math.abs(Math.round(number)); i > -1 && remaining > 0; i--, remaining /= 256) { bytes[i] = remaining; } if (number < 0) { negate(bytes); } return new _Int64(bytes); } /** * Called implicitly by infix arithmetic operators. */ valueOf() { const bytes = this.bytes.slice(0); const negative = bytes[0] & 128; if (negative) { negate(bytes); } return parseInt((0, import_util_hex_encoding.toHex)(bytes), 16) * (negative ? -1 : 1); } toString() { return String(this.valueOf()); } }; __name(_Int64, "Int64"); var Int64 = _Int64; function negate(bytes) { for (let i = 0; i < 8; i++) { bytes[i] ^= 255; } for (let i = 7; i > -1; i--) { bytes[i]++; if (bytes[i] !== 0) break; } } __name(negate, "negate"); // src/headerUtil.ts var hasHeader = /* @__PURE__ */ __name((soughtHeader, headers) => { soughtHeader = soughtHeader.toLowerCase(); for (const headerName of Object.keys(headers)) { if (soughtHeader === headerName.toLowerCase()) { return true; } } return false; }, "hasHeader"); // src/cloneRequest.ts var cloneRequest = /* @__PURE__ */ __name(({ headers, query, ...rest }) => ({ ...rest, headers: { ...headers }, query: query ? cloneQuery(query) : void 0 }), "cloneRequest"); var cloneQuery = /* @__PURE__ */ __name((query) => Object.keys(query).reduce((carry, paramName) => { const param = query[paramName]; return { ...carry, [paramName]: Array.isArray(param) ? [...param] : param }; }, {}), "cloneQuery"); // src/moveHeadersToQuery.ts var moveHeadersToQuery = /* @__PURE__ */ __name((request, options = {}) => { var _a; const { headers, query = {} } = typeof request.clone === "function" ? request.clone() : cloneRequest(request); for (const name of Object.keys(headers)) { const lname = name.toLowerCase(); if (lname.slice(0, 6) === "x-amz-" && !((_a = options.unhoistableHeaders) == null ? void 0 : _a.has(lname))) { query[name] = headers[name]; delete headers[name]; } } return { ...request, headers, query }; }, "moveHeadersToQuery"); // src/prepareRequest.ts var prepareRequest = /* @__PURE__ */ __name((request) => { request = typeof request.clone === "function" ? request.clone() : cloneRequest(request); for (const headerName of Object.keys(request.headers)) { if (GENERATED_HEADERS.indexOf(headerName.toLowerCase()) > -1) { delete request.headers[headerName]; } } return request; }, "prepareRequest"); // src/utilDate.ts var iso8601 = /* @__PURE__ */ __name((time) => toDate(time).toISOString().replace(/\.\d{3}Z$/, "Z"), "iso8601"); var toDate = /* @__PURE__ */ __name((time) => { if (typeof time === "number") { return new Date(time * 1e3); } if (typeof time === "string") { if (Number(time)) { return new Date(Number(time) * 1e3); } return new Date(time); } return time; }, "toDate"); // src/SignatureV4.ts var _SignatureV4 = class _SignatureV4 { constructor({ applyChecksum, credentials, region, service, sha256, uriEscapePath = true }) { this.headerFormatter = new HeaderFormatter(); this.service = service; this.sha256 = sha256; this.uriEscapePath = uriEscapePath; this.applyChecksum = typeof applyChecksum === "boolean" ? applyChecksum : true; this.regionProvider = (0, import_util_middleware.normalizeProvider)(region); this.credentialProvider = (0, import_util_middleware.normalizeProvider)(credentials); } async presign(originalRequest, options = {}) { const { signingDate = /* @__PURE__ */ new Date(), expiresIn = 3600, unsignableHeaders, unhoistableHeaders, signableHeaders, signingRegion, signingService } = options; const credentials = await this.credentialProvider(); this.validateResolvedCredentials(credentials); const region = signingRegion ?? await this.regionProvider(); const { longDate, shortDate } = formatDate(signingDate); if (expiresIn > MAX_PRESIGNED_TTL) { return Promise.reject( "Signature version 4 presigned URLs must have an expiration date less than one week in the future" ); } const scope = createScope(shortDate, region, signingService ?? this.service); const request = moveHeadersToQuery(prepareRequest(originalRequest), { unhoistableHeaders }); if (credentials.sessionToken) { request.query[TOKEN_QUERY_PARAM] = credentials.sessionToken; } request.query[ALGORITHM_QUERY_PARAM] = ALGORITHM_IDENTIFIER; request.query[CREDENTIAL_QUERY_PARAM] = `${credentials.accessKeyId}/${scope}`; request.query[AMZ_DATE_QUERY_PARAM] = longDate; request.query[EXPIRES_QUERY_PARAM] = expiresIn.toString(10); const canonicalHeaders = getCanonicalHeaders(request, unsignableHeaders, signableHeaders); request.query[SIGNED_HEADERS_QUERY_PARAM] = getCanonicalHeaderList(canonicalHeaders); request.query[SIGNATURE_QUERY_PARAM] = await this.getSignature( longDate, scope, this.getSigningKey(credentials, region, shortDate, signingService), this.createCanonicalRequest(request, canonicalHeaders, await getPayloadHash(originalRequest, this.sha256)) ); return request; } async sign(toSign, options) { if (typeof toSign === "string") { return this.signString(toSign, options); } else if (toSign.headers && toSign.payload) { return this.signEvent(toSign, options); } else if (toSign.message) { return this.signMessage(toSign, options); } else { return this.signRequest(toSign, options); } } async signEvent({ headers, payload }, { signingDate = /* @__PURE__ */ new Date(), priorSignature, signingRegion, signingService }) { const region = signingRegion ?? await this.regionProvider(); const { shortDate, longDate } = formatDate(signingDate); const scope = createScope(shortDate, region, signingService ?? this.service); const hashedPayload = await getPayloadHash({ headers: {}, body: payload }, this.sha256); const hash = new this.sha256(); hash.update(headers); const hashedHeaders = (0, import_util_hex_encoding.toHex)(await hash.digest()); const stringToSign = [ EVENT_ALGORITHM_IDENTIFIER, longDate, scope, priorSignature, hashedHeaders, hashedPayload ].join("\n"); return this.signString(stringToSign, { signingDate, signingRegion: region, signingService }); } async signMessage(signableMessage, { signingDate = /* @__PURE__ */ new Date(), signingRegion, signingService }) { const promise = this.signEvent( { headers: this.headerFormatter.format(signableMessage.message.headers), payload: signableMessage.message.body }, { signingDate, signingRegion, signingService, priorSignature: signableMessage.priorSignature } ); return promise.then((signature) => { return { message: signableMessage.message, signature }; }); } async signString(stringToSign, { signingDate = /* @__PURE__ */ new Date(), signingRegion, signingService } = {}) { const credentials = await this.credentialProvider(); this.validateResolvedCredentials(credentials); const region = signingRegion ?? await this.regionProvider(); const { shortDate } = formatDate(signingDate); const hash = new this.sha256(await this.getSigningKey(credentials, region, shortDate, signingService)); hash.update((0, import_util_utf84.toUint8Array)(stringToSign)); return (0, import_util_hex_encoding.toHex)(await hash.digest()); } async signRequest(requestToSign, { signingDate = /* @__PURE__ */ new Date(), signableHeaders, unsignableHeaders, signingRegion, signingService } = {}) { const credentials = await this.credentialProvider(); this.validateResolvedCredentials(credentials); const region = signingRegion ?? await this.regionProvider(); const request = prepareRequest(requestToSign); const { longDate, shortDate } = formatDate(signingDate); const scope = createScope(shortDate, region, signingService ?? this.service); request.headers[AMZ_DATE_HEADER] = longDate; if (credentials.sessionToken) { request.headers[TOKEN_HEADER] = credentials.sessionToken; } const payloadHash = await getPayloadHash(request, this.sha256); if (!hasHeader(SHA256_HEADER, request.headers) && this.applyChecksum) { request.headers[SHA256_HEADER] = payloadHash; } const canonicalHeaders = getCanonicalHeaders(request, unsignableHeaders, signableHeaders); const signature = await this.getSignature( longDate, scope, this.getSigningKey(credentials, region, shortDate, signingService), this.createCanonicalRequest(request, canonicalHeaders, payloadHash) ); request.headers[AUTH_HEADER] = `${ALGORITHM_IDENTIFIER} Credential=${credentials.accessKeyId}/${scope}, SignedHeaders=${getCanonicalHeaderList(canonicalHeaders)}, Signature=${signature}`; return request; } createCanonicalRequest(request, canonicalHeaders, payloadHash) { const sortedHeaders = Object.keys(canonicalHeaders).sort(); return `${request.method} ${this.getCanonicalPath(request)} ${getCanonicalQuery(request)} ${sortedHeaders.map((name) => `${name}:${canonicalHeaders[name]}`).join("\n")} ${sortedHeaders.join(";")} ${payloadHash}`; } async createStringToSign(longDate, credentialScope, canonicalRequest) { const hash = new this.sha256(); hash.update((0, import_util_utf84.toUint8Array)(canonicalRequest)); const hashedRequest = await hash.digest(); return `${ALGORITHM_IDENTIFIER} ${longDate} ${credentialScope} ${(0, import_util_hex_encoding.toHex)(hashedRequest)}`; } getCanonicalPath({ path }) { if (this.uriEscapePath) { const normalizedPathSegments = []; for (const pathSegment of path.split("/")) { if ((pathSegment == null ? void 0 : pathSegment.length) === 0) continue; if (pathSegment === ".") continue; if (pathSegment === "..") { normalizedPathSegments.pop(); } else { normalizedPathSegments.push(pathSegment); } } const normalizedPath = `${(path == null ? void 0 : path.startsWith("/")) ? "/" : ""}${normalizedPathSegments.join("/")}${normalizedPathSegments.length > 0 && (path == null ? void 0 : path.endsWith("/")) ? "/" : ""}`; const doubleEncoded = (0, import_util_uri_escape.escapeUri)(normalizedPath); return doubleEncoded.replace(/%2F/g, "/"); } return path; } async getSignature(longDate, credentialScope, keyPromise, canonicalRequest) { const stringToSign = await this.createStringToSign(longDate, credentialScope, canonicalRequest); const hash = new this.sha256(await keyPromise); hash.update((0, import_util_utf84.toUint8Array)(stringToSign)); return (0, import_util_hex_encoding.toHex)(await hash.digest()); } getSigningKey(credentials, region, shortDate, service) { return getSigningKey(this.sha256, credentials, shortDate, region, service || this.service); } validateResolvedCredentials(credentials) { if (typeof credentials !== "object" || // @ts-expect-error: Property 'accessKeyId' does not exist on type 'object'.ts(2339) typeof credentials.accessKeyId !== "string" || // @ts-expect-error: Property 'secretAccessKey' does not exist on type 'object'.ts(2339) typeof credentials.secretAccessKey !== "string") { throw new Error("Resolved credential object is not valid"); } } }; __name(_SignatureV4, "SignatureV4"); var SignatureV4 = _SignatureV4; var formatDate = /* @__PURE__ */ __name((now) => { const longDate = iso8601(now).replace(/[\-:]/g, ""); return { longDate, shortDate: longDate.slice(0, 8) }; }, "formatDate"); var getCanonicalHeaderList = /* @__PURE__ */ __name((headers) => Object.keys(headers).sort().join(";"), "getCanonicalHeaderList"); // Annotate the CommonJS export names for ESM import in node: 0 && (module.exports = { getCanonicalHeaders, getCanonicalQuery, getPayloadHash, moveHeadersToQuery, prepareRequest, SignatureV4, createScope, getSigningKey, clearCredentialCache });