Problem
When auth=Auth.static_credentials(...) enables SigV4 signing, Alternator handlers mutate prepared requests in the before-send.dynamodb.* phase. At that point botocore has already added the Authorization header.
Two mutations are affected:
alternator.core.handlers.update_endpoint() rewrites request.url to a selected Alternator node.alternator.core.compression.compress_request() can replace the request body with gzip bytes and update Content-Length / Content-Encoding.
This means a signed request can be sent with a host and/or payload that differs from the data used to compute the signature.
Evidence
A local prepared-request capture showed before-sign observing an unsigned request body and URL, while before-send observed an Authorization header after the URL/body had been rewritten.
Relevant code:
alternator/client.py: _create_boto_config() enables normal botocore signing when auth is enabled.alternator/core/handlers.py: endpoint routing is registered on before-send.dynamodb.*.alternator/core/compression.py: gzip body mutation is also registered on before-send.dynamodb.*.
Expected behavior
Any URL/body/header mutations that participate in SigV4 canonical request calculation should happen before signing, or signed requests should be explicitly re-signed after mutation.
Test coverage needed
Add a unit test that captures signed requests and verifies the signed canonical inputs match the final URL/body sent on the wire for:
- endpoint routing with static auth
- gzip request compression with static auth
- endpoint routing plus compression with static auth
Problem
When
auth=Auth.static_credentials(...)enables SigV4 signing, Alternator handlers mutate prepared requests in thebefore-send.dynamodb.*phase. At that point botocore has already added theAuthorizationheader.Two mutations are affected:
alternator.core.handlers.update_endpoint()rewritesrequest.urlto a selected Alternator node.alternator.core.compression.compress_request()can replace the request body with gzip bytes and updateContent-Length/Content-Encoding.This means a signed request can be sent with a host and/or payload that differs from the data used to compute the signature.
Evidence
A local prepared-request capture showed
before-signobserving an unsigned request body and URL, whilebefore-sendobserved anAuthorizationheader after the URL/body had been rewritten.Relevant code:
alternator/client.py:_create_boto_config()enables normal botocore signing when auth is enabled.alternator/core/handlers.py: endpoint routing is registered onbefore-send.dynamodb.*.alternator/core/compression.py: gzip body mutation is also registered onbefore-send.dynamodb.*.Expected behavior
Any URL/body/header mutations that participate in SigV4 canonical request calculation should happen before signing, or signed requests should be explicitly re-signed after mutation.
Test coverage needed
Add a unit test that captures signed requests and verifies the signed canonical inputs match the final URL/body sent on the wire for: