尝试通过 Cloud CDN 访问 GCP 存储桶内容时获取 `signed
我正在使用签名 cookie,通过 Cloud CDN 访问存储在 GCP 存储桶中的一些受限文件。我正在使用以下功能对 cookie 进行签名:
signCookie(urlPrefix: string, keyName: string, key: string, expires: number) {
// Base64url encode the url prefix
const urlPrefixEncoded = Buffer.from(urlPrefix).toString('base64url');
// Input to be signed
const input = `URLPrefix=${urlPrefixEncoded}:Expires=${expires}:KeyName=${keyName}`;
// Create bytes from given key string.
const keyBytes = Buffer.from(key, 'base64');
// Use key bytes and crypto.createHmac to produce a base64 encoded signature which is then escaped to be base64url encoded.
const signature = createHmac('sha1', keyBytes).update(input).digest('base64url');
// Adding the signature on the end if the cookie value
const signedValue = `${input}:Signature=${signature}`;
return signedValue;
}
正在生成 cookie 并发送到 CDN,但它失败并显示状态 403,并出现以下消息:
Error: Forbidden
Your client does not have permission to get URL ********/sample.pdf from this server.
在检查时,负载均衡器记录,我得到这个
statusDetails: "signed_request_invalid_format"此答案适用于使用
expresssign cookieresponse.cookie('Cloud-CDN-Cookie', cookieValue, {
httpOnly: true,
expires: new Date(cookieExpiryTime),
});
cookie 值得到 URI 编码,结果是 URL 的所有保留字符,如
=%3DURLPrefix=$BASE64URLECNODEDURLORPREFIX:Expires=$TIMESTAMP:KeyName=$KEYNAME:Signature=$BASE64URLENCODEDHMAC
要解决此问题,请在设置 cookie 时传递额外的编码功能:
response.cookie('Cloud-CDN-Cookie', cookieValue, {
httpOnly: true,
expires: new Date(cookieExpiryTime),
encode: val => val
});
希望它能为您节省时间。