happyskills 1.4.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +5 -0
  2. package/package.json +1 -1
  3. package/src/api/client.js +9 -2
  4. package/src/api/client.test.js +53 -0
package/CHANGELOG.md CHANGED
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [1.4.1] - 2026-06-03
11
+
12
+ ### Fixed
13
+ - Send the `x-amz-content-sha256` payload-hash header on bodyless POST/DELETE requests so CloudFront OAC SigV4 signing accepts them. It was previously set only when a request had a body, so bodyless authenticated mutations (`star`, `unstar`, `delete`, `people remove`, `groups delete`, `access revoke`) were rejected by the Lambda Function URL with a 403 signature mismatch.
14
+
10
15
  ## [1.4.0] - 2026-06-03
11
16
 
12
17
  ### Added
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "happyskills",
3
- "version": "1.4.0",
3
+ "version": "1.4.1",
4
4
  "description": "Package manager for AI agent skills",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "author": "Nicolas Dao <nic@cloudlesslabs.com> (https://cloudlesslabs.com)",
package/src/api/client.js CHANGED
@@ -40,8 +40,15 @@ const request = (method, path, options = {}) => catch_errors(`API ${method} ${pa
40
40
  headers['Content-Type'] = 'application/json'
41
41
  }
42
42
 
43
- if (body_str) {
44
- headers['x-amz-content-sha256'] = createHash('sha256').update(body_str).digest('hex')
43
+ // CloudFront OAC signs requests to the Lambda Function URL with SigV4, which
44
+ // covers the payload hash via x-amz-content-sha256. GET/HEAD carry no body and
45
+ // OAC uses the empty-string hash deterministically, so they work without it.
46
+ // But body-carrying methods (POST/PUT/PATCH/DELETE) MUST send the header or the
47
+ // Function URL rejects the signature with a 403 — and that applies even when the
48
+ // specific request has no body (e.g. `star`/`unstar`, `delete`, `people remove`).
49
+ // The correct hash for an empty body is sha256(''). See docs/gotchas/deployment.md § 2.1.
50
+ if (method !== 'GET' && method !== 'HEAD') {
51
+ headers['x-amz-content-sha256'] = createHash('sha256').update(body_str || '').digest('hex')
45
52
  }
46
53
 
47
54
  let res
package/src/api/client.test.js ADDED
@@ -0,0 +1,53 @@
1
+ // Run with: node --test src/api/client.test.js
2
+ //
3
+ // Pins the x-amz-content-sha256 payload-hash header that CloudFront OAC requires
4
+ // to SigV4-sign requests to the Lambda Function URL. The original bug: the header
5
+ // was set only when a body existed, so bodyless authed mutations (star/unstar,
6
+ // delete, people remove, ...) reached the Function URL without it and were
7
+ // rejected with a 403 signature mismatch. GET/HEAD are exempt — OAC uses the
8
+ // deterministic empty-string hash for them. See docs/gotchas/deployment.md § 2.1.
9
+
10
+ const { describe, it } = require('node:test')
11
+ const assert = require('node:assert/strict')
12
+ const crypto = require('node:crypto')
13
+ const client = require('./client')
14
+
15
+ const EMPTY_SHA = crypto.createHash('sha256').update('').digest('hex')
16
+
17
+ // Run a client call with global.fetch stubbed to capture the outgoing request.
18
+ const capture_request = async (fn) => {
19
+ const orig = global.fetch
20
+ const captured = {}
21
+ global.fetch = async (url, opts) => {
22
+ captured.url = url
23
+ captured.method = opts.method
24
+ captured.headers = opts.headers
25
+ captured.body = opts.body
26
+ return { ok: true, status: 200, headers: { get: () => null }, json: async () => ({ data: {} }) }
27
+ }
28
+ try { await fn() } finally { global.fetch = orig }
29
+ return captured
30
+ }
31
+
32
+ describe('api client — x-amz-content-sha256 (CloudFront OAC SigV4 payload hash)', () => {
33
+ it('bodyless POST sends the empty-string payload hash (regression: star → 403)', async () => {
34
+ const c = await capture_request(() => client.post('/repos/acme/deploy-aws/star', undefined, { auth: false }))
35
+ assert.equal(c.headers['x-amz-content-sha256'], EMPTY_SHA)
36
+ })
37
+
38
+ it('bodyless DELETE sends the empty-string payload hash (regression: unstar/delete → 403)', async () => {
39
+ const c = await capture_request(() => client.del('/repos/acme/deploy-aws/star', { auth: false }))
40
+ assert.equal(c.headers['x-amz-content-sha256'], EMPTY_SHA)
41
+ })
42
+
43
+ it('POST with a body sends the body hash (unchanged)', async () => {
44
+ const c = await capture_request(() => client.post('/repos:search', { q: 'x' }, { auth: false }))
45
+ const expected = crypto.createHash('sha256').update(JSON.stringify({ q: 'x' })).digest('hex')
46
+ assert.equal(c.headers['x-amz-content-sha256'], expected)
47
+ })
48
+
49
+ it('GET does not send the header (OAC uses the deterministic empty hash)', async () => {
50
+ const c = await capture_request(() => client.get('/repos/acme/deploy-aws', { auth: false }))
51
+ assert.equal(c.headers['x-amz-content-sha256'], undefined)
52
+ })
53
+ })