npm - @prmichaelsen/firebase-admin-sdk-v8 - Versions diffs - 2.3.0 → 2.3.1 - Mend

@prmichaelsen/firebase-admin-sdk-v8 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [2.3.1] - 2026-02-14
+### Fixed
+- **CRITICAL**: Fixed signed URL generation to match Google Cloud Storage SDK encoding
+- Implemented `fixedEncodeURIComponent` to additionally encode `! * ' ( )` characters
+- This fixes `SignatureDoesNotMatch` errors in production environments
+- Path encoding now exactly matches official `@google-cloud/storage` SDK behavior
 ## [2.3.0] - 2026-02-14
 ### Added

package/dist/index.js CHANGED Viewed

@@ -1372,7 +1372,7 @@ function getStorageBucket() {
     return customBucket;
   }
   const projectId = getProjectId();
-  return `${projectId}.appspot.com`;
+  return `${projectId}.firebasestorage.app`;
 }
 function getExpirationTimestamp(expires) {
   if (expires instanceof Date) {
@@ -1390,10 +1390,18 @@ function actionToMethod(action) {
       return "DELETE";
   }
 }
-function stringToHex(str) {
+function fixedEncodeURIComponent(str) {
+  return encodeURIComponent(str).replace(
+    /[!'()*]/g,
+    (c) => "%" + c.charCodeAt(0).toString(16).toUpperCase()
+  );
+}
+async function sha256Hex(str) {
   const encoder = new TextEncoder();
-  const bytes = encoder.encode(str);
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const data = encoder.encode(str);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
 async function signData(data, privateKey) {
   const pemHeader = "-----BEGIN PRIVATE KEY-----";
@@ -1458,17 +1466,15 @@ async function generateSignedUrl(path, options) {
   }
   const sortedParams = Object.keys(queryParams).sort();
   const canonicalQueryString = sortedParams.map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`).join("&");
-  const encodedPath = path.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+  const encodedPath = path.split("/").map((segment) => fixedEncodeURIComponent(segment)).join("/");
   const canonicalUri = `/${bucket}/${encodedPath}`;
-  const canonicalRequest = [
-    method,
-    canonicalUri,
-    canonicalQueryString,
-    canonicalHeaders,
-    signedHeaders,
-    "UNSIGNED-PAYLOAD"
-  ].join("\n");
-  const canonicalRequestHash = stringToHex(canonicalRequest);
+  const canonicalRequest = `${method}
+${canonicalUri}
+${canonicalQueryString}
+${canonicalHeaders}
+${signedHeaders}
+UNSIGNED-PAYLOAD`;
+  const canonicalRequestHash = await sha256Hex(canonicalRequest);
   const stringToSign = [
     "GOOG4-RSA-SHA256",
     dateTimeStamp,

package/dist/index.mjs CHANGED Viewed

@@ -1316,7 +1316,7 @@ function getStorageBucket() {
     return customBucket;
   }
   const projectId = getProjectId();
-  return `${projectId}.appspot.com`;
+  return `${projectId}.firebasestorage.app`;
 }
 function getExpirationTimestamp(expires) {
   if (expires instanceof Date) {
@@ -1334,10 +1334,18 @@ function actionToMethod(action) {
       return "DELETE";
   }
 }
-function stringToHex(str) {
+function fixedEncodeURIComponent(str) {
+  return encodeURIComponent(str).replace(
+    /[!'()*]/g,
+    (c) => "%" + c.charCodeAt(0).toString(16).toUpperCase()
+  );
+}
+async function sha256Hex(str) {
   const encoder = new TextEncoder();
-  const bytes = encoder.encode(str);
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const data = encoder.encode(str);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
 async function signData(data, privateKey) {
   const pemHeader = "-----BEGIN PRIVATE KEY-----";
@@ -1402,17 +1410,15 @@ async function generateSignedUrl(path, options) {
   }
   const sortedParams = Object.keys(queryParams).sort();
   const canonicalQueryString = sortedParams.map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`).join("&");
-  const encodedPath = path.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+  const encodedPath = path.split("/").map((segment) => fixedEncodeURIComponent(segment)).join("/");
   const canonicalUri = `/${bucket}/${encodedPath}`;
-  const canonicalRequest = [
-    method,
-    canonicalUri,
-    canonicalQueryString,
-    canonicalHeaders,
-    signedHeaders,
-    "UNSIGNED-PAYLOAD"
-  ].join("\n");
-  const canonicalRequestHash = stringToHex(canonicalRequest);
+  const canonicalRequest = `${method}
+${canonicalUri}
+${canonicalQueryString}
+${canonicalHeaders}
+${signedHeaders}
+UNSIGNED-PAYLOAD`;
+  const canonicalRequestHash = await sha256Hex(canonicalRequest);
   const stringToSign = [
     "GOOG4-RSA-SHA256",
     dateTimeStamp,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "2.3.0",
+  "version": "2.3.1",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",