Google Cloud CDN signed cookies with bucket as backend
As an alternative to signed urls with a url prefix, I'm trying to get signed cookies working. Google Cloud CDN is setup with a backend bucket which is configured and working for standard signed urls.
Using these Go examples I've implemented a cookie signing function in nodejs(typescript) that when provied with the test sample data produces the expected outcome.
export function signCookie(urlPrefix: any, keyName: string, key: any, experation: Date): string {
// Base64url encode the url prefix
const urlPrefixEncoded = Buffer.from(urlPrefix)
.toString('base64')
.replace(/\+/g, '-')
.replace(/\//g, '_');
// Input to be signed
const input = `URLPrefix=${urlPrefixEncoded}:Expires=${experation.getTime()}:KeyName=${keyName}`;
// Create bytes from given key string.
const keyBytes = Buffer.from(key, 'base64');
// Use key bytes and crypto.createHmac to produce a base64 encoded signature which is then escaped to be base64url encoded.
const signature = createHmac('sha1', keyBytes)
.update(input)
.digest('base64').replace(/\+/g, '-')
.replace(/\//g, '_');
// Adding the signature on the end if the cookie value
const signedValue = `${input}:Signature=${signature}`;
return signedValue;
}
When I then use the same function to produce signed cookie values for my actual cdn instance I get the following (key name and url prefix not actual):
URLPrefix=aHR0cHM6L------------------HdhcmUuaW8v:Expires=1587585646437:KeyName=my-key-name:Signature=2mJbbtYVclycXBGIpKzsJWuLXEA=
Creating a cooking using firefox dev tools I get the following two results when the cookie is attached and when it is not:
It appears that the cookie "Cloud-CDN-Cookie" is just being passed through Cloud CDN and straight to the backend bucket where it's ignored and the standard response access denied response is given.
The cloud platform logs shows no cdn intervention.
With cookie attached
No cookie attached
Is there something in either the signing implementation or creation and use of the cookie that I'm doing wrong?
My Google project did not yet have the signed cookie feature enabled. Another user contacted support and once the issue was resolved for them it was resolved for me no change to code and it works.
This is my final nodejs(typescript) signed cookie implementation.
function signCookie(urlPrefix: any, keyName: string, key: any, experation: Date): string {
// Base64url encode the url prefix
const urlPrefixEncoded = Buffer.from(urlPrefix)
.toString('base64')
.replace(/\+/g, '-')
.replace(/\//g, '_');
// Input to be signed
const input = `URLPrefix=${urlPrefixEncoded}:Expires=${experation.getTime()}:KeyName=${keyName}`;
// Create bytes from given key string.
const keyBytes = Buffer.from(key, 'base64');
// Use key bytes and crypto.createHmac to produce a base64 encoded signature which is then escaped to be base64url encoded.
const signature = createHmac('sha1', keyBytes)
.update(input)
.digest('base64').replace(/\+/g, '-')
.replace(/\//g, '_');
// Adding the signature on the end if the cookie value
const signedValue = `${input}:Signature=${signature}`;
return signedValue;
}
- How to configure google load balancer to route to cloud run service using url mask but strip service from url
- Datastore export logic in Java
- Does snapshot size is less than actual disk size even disk is full in google cloud?
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- GA4 Data Not Retained for More Than 60 Days Despite BigQuery Table Expiration Set to 'Never
- Firebase Firestore: Accessing Never-Retrieved Data Offline
- How to write a REGEXP_EXTRACT expression in Google Cloud Logging config json?
- Why does my GKE cluster not show any events?
- Python to get billing info from Gcloud
- Google Cloud: sign a JWT while impersonating a service account
- Google recaptcha enterprise: Your default credentials were not found
- Firebase Admin SDK cant upload to storage bucket folder
- Accessing Firestore via Cloud Function
- Problem with executing asynchronous Cloud Function
- do you need to create a separate collection/document for reading an aggregated document with firebase cloud function
- httpsCallable is not a function when calling a Firebase function
- Google Cloud Eventarc: Receive events via Pub/Sub directly
- Android Studio's project gradle file changed?
- How to listen to button triggers using Firebase
- gcloud auth login throwing error: gcloud crashed (ConnectionError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded
- Google Cloud Build Error: build step 0 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1
- Terraform - GCP - Import project IAM member
- Choosing fields to return with Places API (new) client library
- Deploy to Update version of Gmail App Script Extension
- Getting random "User not found in file /etc/passwd" error on Cloud Run Job
- Change time format in GCP Logs Explorer
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Deploying a pelican site to Google Cloud Run with Dockerfile not working
- Is there a good explanation of resource labels versus metric labels?
- Why do I set the resource type when writing the metric but not when creating a descriptor?