tessl/npm-aws-sdk--middleware-signing
AWS SDK for JavaScript v3 middleware for request signing - DEPRECATED: only used in legacy auth implementation
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
To install, run
npx @tessl/cli install tessl/npm-aws-sdk--middleware-signing@3.873.0index.mddocs/
AWS SDK Middleware Signing
⚠️ DEPRECATED PACKAGE: This package is deprecated and only used in legacy authentication implementations. It is no longer used in the current AWS SDK as of the Smithy Reference Architecture implementation of identity and auth.
AWS SDK Middleware Signing provides middleware functionality for signing AWS requests in the AWS SDK for JavaScript v3. It implements authentication middleware that integrates with AWS credentials and request signing mechanisms, including configuration management for AWS authentication settings and utilities for clock skew correction.
Package Information
- Package Name: @aws-sdk/middleware-signing
- Package Type: npm
- Language: TypeScript
- Installation:
npm install @aws-sdk/middleware-signing - Minimum Node Version: 18.0.0
Core Imports
import {
AwsAuthInputConfig,
AwsAuthResolvedConfig,
SigV4AuthInputConfig,
SigV4AuthResolvedConfig,
resolveAwsAuthConfig,
resolveSigV4AuthConfig,
awsAuthMiddleware,
awsAuthMiddlewareOptions,
getAwsAuthPlugin,
getSigV4AuthPlugin
} from "@aws-sdk/middleware-signing";For CommonJS:
const {
AwsAuthInputConfig,
resolveAwsAuthConfig,
awsAuthMiddleware,
getAwsAuthPlugin
} = require("@aws-sdk/middleware-signing");Basic Usage
import {
resolveAwsAuthConfig,
getAwsAuthPlugin,
AwsAuthInputConfig,
AwsAuthResolvedConfig
} from "@aws-sdk/middleware-signing";
import { fromEnv } from "@aws-sdk/credential-providers";
// Configure authentication settings
const authConfig: AwsAuthInputConfig = {
credentials: fromEnv(),
signingRegion: "us-east-1",
signingEscapePath: true,
systemClockOffset: 0
};
// Resolve the configuration
const resolvedConfig: AwsAuthResolvedConfig = resolveAwsAuthConfig({
...authConfig,
// Additional required configuration properties would go here
credentialDefaultProvider: () => fromEnv(),
region: "us-east-1",
serviceId: "myservice",
sha256: /* hash constructor */,
useFipsEndpoint: async () => false,
useDualstackEndpoint: async () => false
});
// Create and use the auth plugin
const authPlugin = getAwsAuthPlugin(resolvedConfig);
// Apply to client stack: clientStack.add(authPlugin)Architecture
The middleware signing package is built around several key components:
- Configuration Interfaces: Define input and resolved configuration structures for AWS authentication
- Configuration Resolvers: Transform input configurations into resolved configurations with proper defaults
- Middleware Functions: Core middleware that performs request signing within the Smithy middleware stack
- Plugin Factory Functions: Create plugins that can be added to client middleware stacks
- Clock Skew Utilities: Handle time synchronization between client and server to prevent signing errors
Capabilities
Configuration Types
Core configuration interfaces for AWS authentication and SigV4 authentication settings.
/**
* Input configuration for AWS authentication (deprecated)
*/
interface AwsAuthInputConfig {
/** The credentials used to sign requests */
credentials?: AwsCredentialIdentity | Provider<AwsCredentialIdentity>;
/** The signer to use when signing requests */
signer?: RequestSigner | ((authScheme?: AuthScheme) => Promise<RequestSigner>);
/** Whether to escape request path when signing the request */
signingEscapePath?: boolean;
/** An offset value in milliseconds to apply to all signing times */
systemClockOffset?: number;
/** The region where you want to sign your request against */
signingRegion?: string;
/** Injectable SigV4-compatible signer class constructor (internal) */
signerConstructor?: new (options: SignatureV4Init & SignatureV4CryptoInit) => RequestSigner;
}
/**
* Input configuration for SigV4 authentication (deprecated)
*/
interface SigV4AuthInputConfig {
/** The credentials used to sign requests */
credentials?: AwsCredentialIdentity | Provider<AwsCredentialIdentity>;
/** The signer to use when signing requests */
signer?: RequestSigner | ((authScheme?: AuthScheme) => Promise<RequestSigner>);
/** Whether to escape request path when signing the request */
signingEscapePath?: boolean;
/** An offset value in milliseconds to apply to all signing times */
systemClockOffset?: number;
}
/**
* Resolved configuration for AWS authentication (internal, deprecated)
*/
interface AwsAuthResolvedConfig {
/** Resolved credentials provider with memoization */
credentials: MemoizedProvider<AwsCredentialIdentity>;
/** Resolved signer function */
signer: (authScheme?: AuthScheme) => Promise<RequestSigner>;
/** Resolved signing escape path flag */
signingEscapePath: boolean;
/** Resolved system clock offset */
systemClockOffset: number;
}
/**
* Resolved configuration for SigV4 authentication, extends AwsAuthResolvedConfig (internal, deprecated)
*/
interface SigV4AuthResolvedConfig extends AwsAuthResolvedConfig {}Configuration Resolution
Functions that resolve input configurations into fully configured objects with proper defaults and validation.
/**
* Resolves AWS authentication configuration from input config
* @param input - Input configuration object combining auth config with previously resolved config
* @returns Resolved configuration object with all required properties
*/
function resolveAwsAuthConfig<T>(
input: T & AwsAuthInputConfig & PreviouslyResolved
): T & AwsAuthResolvedConfig;
/**
* Resolves SigV4 authentication configuration from input config
* @param input - Input configuration object combining SigV4 auth config with previously resolved config
* @returns Resolved SigV4 configuration object with all required properties
*/
function resolveSigV4AuthConfig<T>(
input: T & SigV4AuthInputConfig & SigV4PreviouslyResolved
): T & SigV4AuthResolvedConfig;Usage Example:
import { resolveAwsAuthConfig, AwsAuthInputConfig } from "@aws-sdk/middleware-signing";
import { fromEnv } from "@aws-sdk/credential-providers";
const inputConfig: AwsAuthInputConfig = {
credentials: fromEnv(),
signingRegion: "us-west-2",
signingEscapePath: true,
systemClockOffset: 0
};
// Note: In practice, additional properties would be required
const resolvedConfig = resolveAwsAuthConfig({
...inputConfig,
credentialDefaultProvider: () => fromEnv(),
region: "us-west-2",
serviceId: "s3",
sha256: /* hash constructor */,
useFipsEndpoint: async () => false,
useDualstackEndpoint: async () => false
});
console.log(resolvedConfig.signingEscapePath); // true
console.log(resolvedConfig.systemClockOffset); // 0Middleware Functions
Core middleware and configuration objects for integrating request signing into the Smithy middleware stack.
/**
* Creates AWS authentication middleware for request signing (deprecated)
* @param options - Resolved AWS authentication configuration
* @returns Middleware function that signs requests
*/
function awsAuthMiddleware<Input extends object, Output extends object>(
options: AwsAuthResolvedConfig
): FinalizeRequestMiddleware<Input, Output>;
/**
* Middleware options for AWS authentication middleware (deprecated)
*/
const awsAuthMiddlewareOptions: RelativeMiddlewareOptions;Usage Example:
import { awsAuthMiddleware, awsAuthMiddlewareOptions } from "@aws-sdk/middleware-signing";
// Assuming you have a resolved config
const middleware = awsAuthMiddleware(resolvedConfig);
// Add to middleware stack with options
clientStack.addRelativeTo(middleware, awsAuthMiddlewareOptions);Plugin Factory Functions
Functions that create plugins for adding authentication middleware to client stacks.
/**
* Creates a plugin for AWS authentication middleware (deprecated)
* @param options - Resolved AWS authentication configuration
* @returns Plugin object for adding to client stack
*/
function getAwsAuthPlugin(options: AwsAuthResolvedConfig): Pluggable<any, any>;
/**
* Alias for getAwsAuthPlugin - creates a plugin for SigV4 authentication middleware (deprecated)
* @param options - Resolved AWS authentication configuration
* @returns Plugin object for adding to client stack
*/
function getSigV4AuthPlugin(options: AwsAuthResolvedConfig): Pluggable<any, any>;Usage Example:
import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
// Create the plugin
const authPlugin = getAwsAuthPlugin(resolvedConfig);
// Apply to client stack
authPlugin.applyToStack(clientStack);
// Equivalent using getSigV4AuthPlugin
const sigV4Plugin = getSigV4AuthPlugin(resolvedConfig);
sigV4Plugin.applyToStack(clientStack);Clock Skew Utilities
Note: These utilities are used internally by the middleware but are not exported via the main index. They are available for import directly from their module paths.
/**
* Returns a date that is corrected for clock skew
* @param systemClockOffset - The offset of the system clock in milliseconds
* @returns Date corrected for clock skew
*/
function getSkewCorrectedDate(systemClockOffset: number): Date;
/**
* Returns updated system clock offset based on server time if clock is skewed
* @param clockTime - The string value of the server time
* @param currentSystemClockOffset - The current system clock offset
* @returns Updated system clock offset
*/
function getUpdatedSystemClockOffset(clockTime: string, currentSystemClockOffset: number): number;
/**
* Checks if the provided date is within the skew window of 300000ms (5 minutes)
* @param clockTime - The time to check for skew in milliseconds
* @param systemClockOffset - The offset of the system clock in milliseconds
* @returns True if clock is skewed beyond acceptable window
*/
function isClockSkewed(clockTime: number, systemClockOffset: number): boolean;Types
Core type definitions used throughout the middleware signing functionality.
// From @aws-sdk/types
type AwsCredentialIdentity = {
accessKeyId: string;
secretAccessKey: string;
sessionToken?: string;
expiration?: Date;
};
type Provider<T> = T | (() => Promise<T>);
// From @smithy/types
type MemoizedProvider<T> = () => Promise<T>;
type RequestSigner = {
sign(request: HttpRequest, options?: SigningOptions): Promise<HttpRequest>;
};
type AuthScheme = {
name: string;
signingName?: string;
signingRegion?: string;
signingRegionSet?: string[];
properties?: Record<string, any>;
};
type FinalizeRequestMiddleware<Input extends object, Output extends object> = (
next: FinalizeHandler<Input, Output>,
context: HandlerExecutionContext
) => FinalizeHandler<Input, Output>;
type Pluggable<Input extends object, Output extends object> = {
applyToStack: (clientStack: MiddlewareStack<Input, Output>) => void;
};
type RelativeMiddlewareOptions = {
name: string;
tags: string[];
relation: "before" | "after";
toMiddleware: string;
override: boolean;
};
// Internal types used by configuration resolvers
type PreviouslyResolved = {
credentialDefaultProvider: (input: any) => MemoizedProvider<AwsCredentialIdentity>;
region: string | Provider<string>;
regionInfoProvider?: RegionInfoProvider;
signingName?: string;
defaultSigningName?: string;
serviceId: string;
sha256: ChecksumConstructor | HashConstructor;
useFipsEndpoint: Provider<boolean>;
useDualstackEndpoint: Provider<boolean>;
};
type SigV4PreviouslyResolved = {
credentialDefaultProvider: (input: any) => MemoizedProvider<AwsCredentialIdentity>;
region: string | Provider<string>;
signingName: string;
sha256: ChecksumConstructor | HashConstructor;
logger?: Logger;
};
// Additional utility types
type RegionInfoProvider = (
region: string,
options: { useFipsEndpoint: boolean; useDualstackEndpoint: boolean }
) => Promise<RegionInfo | undefined>;
type RegionInfo = {
signingRegion?: string;
signingService?: string;
};
type ChecksumConstructor = new () => { update(data: any): void; digest(): Uint8Array };
type HashConstructor = ChecksumConstructor;
type Logger = { trace?: (msg: any) => void; debug?: (msg: any) => void; info?: (msg: any) => void; warn?: (msg: any) => void; error?: (msg: any) => void };
type FinalizeHandler<Input extends object, Output extends object> = (
args: FinalizeHandlerArguments<Input>
) => Promise<FinalizeHandlerOutput<Output>>;
type FinalizeHandlerArguments<Input extends object> = {
input: Input;
request: HttpRequest;
};
type FinalizeHandlerOutput<Output extends object> = {
output: Output;
response: HttpResponse;
};
type MiddlewareStack<Input extends object, Output extends object> = {
addRelativeTo: (middleware: any, options: RelativeMiddlewareOptions) => void;
};
type HandlerExecutionContext = {
endpointV2?: {
properties?: {
authSchemes?: AuthScheme[];
};
};
signing_region?: string;
signing_service?: string;
s3ExpressIdentity?: AwsCredentialIdentity;
};
type HttpRequest = {
method: string;
protocol: string;
hostname: string;
port?: number;
path: string;
query?: Record<string, string | string[]>;
headers: Record<string, string>;
body?: any;
};
type HttpResponse = {
statusCode: number;
headers: Record<string, string>;
body?: any;
};
type SigningOptions = {
signingDate?: Date;
signingRegion?: string;
signingService?: string;
};
// Signature V4 related types (internal)
type SignatureV4Init = {
credentials: MemoizedProvider<AwsCredentialIdentity>;
region: string | Provider<string>;
service: string;
uriEscapePath?: boolean;
};
type SignatureV4CryptoInit = {
sha256: ChecksumConstructor | HashConstructor;
};Error Handling
The middleware may throw errors in the following scenarios:
- Clock Skew Errors: When system time differs significantly from server time, automatic correction is attempted
- Signing Errors: When request signing fails due to invalid credentials or malformed requests
- S3 Express Errors: Specific validation for S3 Express requests that must not contain security tokens
Common error handling pattern:
try {
const signedRequest = await signer.sign(request, signingOptions);
} catch (error) {
// Handle signing errors
if (error.name === 'SigningError') {
// Handle specific signing issues
}
throw error;
}Migration Notes
Important: This package is deprecated. For new implementations:
- Use the Smithy Reference Architecture for identity and authentication
- Consider migrating existing implementations to the new auth system
- This package remains available only for backward compatibility with legacy code
The deprecation affects all exported APIs, and developers should plan migration to the current AWS SDK authentication mechanisms.