AWS Signatures with duplicate querystring values are invalid

[stevenh]

1. Postman Version: 4.7.2
2. App: Chrome app
3. OS details: Windows 10 x64
4. Is the Interceptor on and enabled in the app: Yes
5. Did you encounter this recently, or has this bug always been there: Always
6. Expected behaviour: AWS Authentication should work

Sign a request with AWS auth which include duplicate querystring fields e.g.
?uuid=26cadde4-4d54-11e6-b0d9-bb25bde55563&uuid=26cadde4-4d54-11e6-b0d9-bb25bde55564

The signature should work but it doesn't. I believe this is due to the fact that values are some how sorted before signing (common bug in AWS auth libs).

[SamvelRaja]

Thanks for bringing this to our notice. We shall investigate this and let you know the progress here 😄

[vegetableman]

@stevenh The issue has been fixed on our internal build and will be made part of the upcoming releases. Will keep you posted.

[sdnts]

Hey @stevenh, can you try updating to the latest version (4.8) and verify if this is fixed?

[stevenh]

Confirmed this now works as expected, thanks for that 👍

[stevenh]

Looks like this has been broken again :(

[sdnts]

@stevenh A major auth rework is planned on an upcoming release, we'll take this up then.
You can follow our roadmap here

[stevenh]

Cool and thanks!
As noted on the other ticket I think I may have been pre-mature on the report. We switched decoding libs to the aws offical golang sdk and it might be that's where the bug lies.

[stevenh]

Just to confirm this new report was due a bug in the official AWS golang SDK, which has been reported here: aws/aws-sdk-go#1491 so please feel free to close this as it does work as expected.

[stevenh]

Just to update on this, the question has been asked as to if the current published AWS v4 spec is the canonical source of truth.

Current thinking is this is not the case, which is leading to all sorts of issues.

I've raised an issue on the official AWS golang SDK in the hope we can come to a official conclusion and get any issues with the spec fixed.