aws-cloudfront-sign
v3.0.2
Published
Utility module for signing AWS CloudFront URLs
Downloads
136,255
Readme
AWS CloudFront URL Signature Utility
NOTE
The AWS SDK for JavaScript has added support for generating signed URLs and Cookies. Please see Class: AWS.CloudFront.Signer
Generating signed URLs for CloudFront links is a little more tricky than for S3. It's because signature generation for S3 URLs is handled a bit differently than CloudFront URLs and this functionality is not currently supported by the aws-sdk library for JavaScript. In case you also need to do this, I've created this simple utility to make things easier.
Usage
Requirements
- Node.js >=18
- Active CloudFront distribution with origin configured
Configuring CloudFront
Create a CloudFront distribution
Configure your origin with the following settings:
Origin Domain Name: {your-s3-bucket} Restrict Bucket Access: Yes Grant Read Permissions on Bucket: Yes, Update Bucket Policy
Create CloudFront Key Pair. more info
Installing
npm install aws-cloudfront-sign
TypeScript
import { SignatureOptions } from 'aws-cloudfront-sign/types'
Upgrading from 2.x to 3.x
- There shouldn't be any breaking changes when coming to 3.x. RTMP URLs were deprecated by Amazon but that will affect all versions.
- Support for ES Modules was added
- Support for TypeScript was added
Upgrading from 1.x to 2.x
expireTime
now takes it's value as milliseconds, Date, or moment instead of seconds.
API
getSignedUrl(url, options)
@param {String} url
- Cloudfront URL to sign@param {Object} options
- URL signature options@return {String} signedUrl
- Signed CloudFrontUrl
getSignedCookies(url, options)
@param {String} url
- Cloudfront URL to sign@param {Object} options
- URL signature options@return {Object} cookies
- Signed AWS cookies
~~getSignedRTMPUrl(domainName, s3key, options)~~
⛔️ Deprecated: RTMP Support Discontinuing on December 31, 2020
- ~~
@param {String} domainName
- Domain name of your Cloudfront distribution~~ - ~~
@param {String} s3key
- Path to s3 object~~ - ~~
@param {Object} options
- URL signature options~~ - ~~
@return {Object} url.rtmpServerPath
- RTMP formatted server path~~ - ~~
@return {Object} url.rtmpStreamName
- Signed RTMP formatted stream name~~
Options
expireTime
(Optional - Default: 1800 sec == 30 min) - The time when the URL should expire. Accepted values are- number - Time in milliseconds (
new Date().getTime() + 1800000
) - moment - Valid momentjs object (
moment().add(1, 'day')
) - Date - Javascript Date object (
new Date(2016, 0, 1)
)
- number - Time in milliseconds (
ipRange
(Optional) - IP address range allowed to make GET requests for your signed URL. This value must be given in standard IPv4 CIDR format (for example, 10.52.176.0/24).keypairId
- The access key ID from your Cloudfront keypairprivateKeyString
||privateKeyPath
- The private key from your Cloudfront keypair. It can be provided as either a string or a path to the .pem file. Note: When providing the private key as a string, ensure that the newline character is also included.const privateKeyString = '-----BEGIN RSA PRIVATE KEY-----\n' 'MIIJKAIBAAKCAgEAwGPMqEvxPYQIffDimM9t3A7Z4aBFAUvLiITzmHRc4UPwryJp\n' 'EVi3C0sQQKBHlq2IOwrmqNiAk31/uh4FnrRR1mtQm4x4IID58cFAhKkKI/09+j1h\n' 'tuf/gLRcOgAXH9o3J5zWjs/y8eWTKtdWv6hWRxuuVwugciNckxwZVV0KewO02wJz\n' 'jBfDw9B5ghxKP95t7/B2AgRUMj+r47zErFwo3OKW0egDUpV+eoNSBylXPXXYKvsL\n' 'AlznRi9xNafFGy9tmh70pwlGG5mVHswD/96eUSuLOZ2srcNvd1UVmjtHL7P9/z4B\n' 'KdODlpb5Vx+54+Fa19vpgXEtHgfAgGW9DjlZMtl4wYTqyGAoa+SLuehjAQsxT8M1\n' 'BXqfMJwE7D9XHjxkqCvd93UGgP+Yxe6H+HczJeA05dFLzC87qdM45R5c74k=\n' '-----END RSA PRIVATE KEY-----'
Also, here are some examples if prefer to store your private key as a string but within an environment variable.
# Local env example CF_PRIVATE_KEY="$(cat your-private-key.pem)" # Heroku env heroku config:set CF_PRIVATE_KEY="$(cat your-private-key.pem)"
Examples
Creating a signed URL
By default the URL will expire after half an hour.
// ESM: import { getSignedUrl } from 'aws-cloudfront-sign'
const cf = require('aws-cloudfront-sign')
const options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
const signedUrl = cf.getSignedUrl('http://xxxxxxx.cloudfront.net/path/to/s3/object', options);
console.log('Signed URL: ' + signedUrl);
Creating signed cookies
// ESM: import { getSignedCookies } from 'aws-cloudfront-sign'
const cf = require('aws-cloudfront-sign')
const options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
const signedCookies = cf.getSignedCookies('http://xxxxxxx.cloudfront.net/*', options);
// You can now set cookies in your response header. For example:
for(var cookieId in signedCookies) {
res.cookie(cookieId, signedCookies[cookieId]);
}