Skip to content

fix: correct Hawk MAC verification for reordered query parameters#265

Merged
layertwo merged 1 commit intomainlinefrom
fix/hawk-query-string-ordering
Mar 3, 2026
Merged

fix: correct Hawk MAC verification for reordered query parameters#265
layertwo merged 1 commit intomainlinefrom
fix/hawk-query-string-ordering

Conversation

@layertwo
Copy link
Owner

@layertwo layertwo commented Mar 3, 2026

Summary

Context

CloudWatch logs confirmed the root cause (PR #262):

server_url: .../storage/prefs?full=1&limit=1000&newer=1772129152.09

API Gateway REST API v1 alphabetized the query params (full, limit, newer) but Firefox sent them as newer, full, limit. The Hawk MAC is computed over the full URL including query string, so the reordering caused a MAC mismatch → 401.

REST API v1 doesn't expose rawQueryString, so the fix pre-computes the MAC for each permutation of query params (using raw HMAC-SHA256) to find the correct ordering before calling mohawk. This avoids the nonce consumption issue (mohawk is only called once with the correct URL).

For typical Firefox Sync requests (2-3 query params), this is 2-6 HMAC computations — negligible overhead.

Test plan

  • 949 tests pass, 100% coverage
  • black, isort, flake8 clean
  • Deploy and trigger sync — storage/prefs?newer=...&full=1&limit=1000 should return 200 instead of 401
  • Verify sync completes successfully (all engines)

@layertwo
fix: correct Hawk MAC verification for reordered query parameters
cf79729 
API Gateway REST API v1 alphabetizes query parameters in the event
dict, breaking Hawk MAC verification when the client's original
parameter order differs (e.g. newer,full,limit → full,limit,newer).

Fix: before calling mohawk.Receiver, pre-compute the Hawk MAC for
each permutation of query parameters to find the client's original
ordering. Only call mohawk once with the correct URL, preserving
nonce replay protection. Removes diagnostic logging from PR #262.
@github-actions
Copy link

github-actions bot commented Mar 3, 2026

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  lambda/src/middlewares
  hawk_auth.py
  lambda/src/services
  hawk_service.py
  lambda/src/shared
  utils.py
Project Total  

This report was generated by python-coverage-comment-action

@github-actions
Copy link

github-actions bot commented Mar 3, 2026

Diff for stage: DefaultStage

Warning

3 Destructive Changes

Diff for stack: GitHubOidcStack - 0 to add, 1 to update, 0 to destroy 🟡

Details 
Resources
[~] Custom::AWSCDKOpenIdConnectProvider GitHubOidcProvider7EBF861F
 ├─ [~] CodeHash
 │   ├─ [-] 62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb
 │   └─ [+] d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50
 └─ [~] RejectUnauthorized
[~] AWS::Lambda::Function CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb.zip
 │       └─ [+] d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb
         └─ [+] asset.d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50

Diff for stack: Service-prod - 3 to add, 3 to update, 3 to destroy

Details

[!WARNING]
Destructive Changes ‼️
Stack: Service-prod - Resource: AuthApiDeploymentB62B2E4627f0b326f37b837e2a54a9393870f6be - Impact: WILL_DESTROY

Stack: Service-prod - Resource: TokenApiDeploymentB896C2197f4fd8f40928d8ff6b65325e6f60c797 - Impact: WILL_DESTROY

Stack: Service-prod - Resource: ProfileApiDeployment84A54415afa95090416ea0bbd4b1d2aac5a9241c - Impact: WILL_DESTROY

Resources
[-] AWS::ApiGateway::Deployment AuthApiDeploymentB62B2E4627f0b326f37b837e2a54a9393870f6be destroy
[-] AWS::ApiGateway::Deployment TokenApiDeploymentB896C2197f4fd8f40928d8ff6b65325e6f60c797 destroy
[-] AWS::ApiGateway::Deployment ProfileApiDeployment84A54415afa95090416ea0bbd4b1d2aac5a9241c destroy
[+] AWS::ApiGateway::Deployment AuthApiDeploymentB62B2E46cd727903b39a54701810720fe0a5fca4
[+] AWS::ApiGateway::Deployment TokenApiDeploymentB896C219b16a73c2bacf13dff150a851137e236c
[+] AWS::ApiGateway::Deployment ProfileApiDeployment84A54415e0158c62574d24c31b8dbd21e82873c4
[~] AWS::Lambda::Function AuthApiHandlerED50ACFA
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477.zip
 │       └─ [+] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477
         └─ [+] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
[~] AWS::Lambda::Function TokenApiHandler2E66DB25
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477.zip
 │       └─ [+] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477
         └─ [+] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
[~] AWS::Lambda::Function ProfileApiHandler9B65A298
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477.zip
 │       └─ [+] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477
         └─ [+] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
[~] AWS::Lambda::Function ApiHandler5E7490E8
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477.zip
 │       └─ [+] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.0df5e523b42b35c46536cf9840ad49e85efff4fd8a00459a51cb4f2d640b1477
         └─ [+] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
[~] AWS::ApiGateway::Stage AuthApiDeploymentStageprodB0E4172A
 └─ [~] DeploymentId
     └─ [~] .Ref:
         ├─ [-] AuthApiDeploymentB62B2E4627f0b326f37b837e2a54a9393870f6be
         └─ [+] AuthApiDeploymentB62B2E46cd727903b39a54701810720fe0a5fca4
[~] AWS::ApiGateway::Stage TokenApiDeploymentStageprod11035AE4
 └─ [~] DeploymentId
     └─ [~] .Ref:
         ├─ [-] TokenApiDeploymentB896C2197f4fd8f40928d8ff6b65325e6f60c797
         └─ [+] TokenApiDeploymentB896C219b16a73c2bacf13dff150a851137e236c
[~] AWS::ApiGateway::Stage ProfileApiDeploymentStageprodF609D968
 └─ [~] DeploymentId
     └─ [~] .Ref:
         ├─ [-] ProfileApiDeployment84A54415afa95090416ea0bbd4b1d2aac5a9241c
         └─ [+] ProfileApiDeployment84A54415e0158c62574d24c31b8dbd21e82873c4

No Changes for stack: Frontend-prod ✅
No Changes for stack: Monitoring-prod ✅

Generated for commit cf79729 at 2026-03-03T00:56:27.840Z

@layertwo layertwo merged commit 260176b into mainline Mar 3, 2026
10 checks passed
@layertwo layertwo deleted the fix/hawk-query-string-ordering branch March 3, 2026 02:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@layertwo