Repeated query string variables are sorted by value

[lexanth]

We're using aws-sigv4-proxy to sign requests to send to an API gateway. We have some APIs that we're using which are sensitive to the order of the query string parameters.

e.g. ?a=1&a=2 is not equivalent to ?a=2&a=1. This seems uncommon but not unreasonable.

The proxy sorts query string variables by key and value, so if we send ?a=2&a=1, the service we're calling receives ?a=1&a=2 and responds accordingly.

I believe this comes from aws/aws-sdk-go#1495. https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html is now explicit that for the canonical request, the parameters must be sorted by value.

What I don't know is if the canonical request used to create the signature must exactly match the request we send, or would the API gateway recalculate the canonical signature according to those rules from the actual request it receives? If the latter, aws-sigv4-proxy could use the original request with the signature generated from the canonical request it creates.

We have some workarounds available, but it seems surprising that the proxy would mutate the request more than necessary.

[alvinlin123]

The proxy should not modify the request (i.e. reorder query parameter) that you send. The canonical request is generated dynamically when doing the sigv4 signature.

If you are seeing the request being modified at server side, then it's a bug in the sigv4-proxy that we should fix.