cfsign

A Typescript/Javascript lib for working with CloudFront signatures in NodeJs.

Getting started

Install cfsign from npm.

Instantiate a signer with your key configuration:

import { Signer } from "cfsign";
const signer = new Signer({
    id: "APKAXXXXXXXXXXXXXXXX", 
    privateKeyPem: "-----BEGIN RSA PRIVATE KEY-----\nXXXX..."
});

As per AWS documentation, cfsign supports short-ish URLs, signed using a "canned" policy. In this case a URL and an expiration date will do:

const expiration = new Date(new Date().getTime() + 10*60*1000);
const signedUrl = signer.signUrl(`https://xyz.cloudfront.net/example/path`, expiration);

To sign a more complex policy, just build one and then get the resulting cookies or query parameters.

const policy = {
    Statement: [{
        Condition: {
            DateGreaterThan: { "AWS:EpochTime": 0 },
            DateLessThan: { "AWS:EpochTime": 1 },
            IpAddress: { "AWS:SourceIp": "1.1.1.0/24" }
        },
        Resource: "http://test.com/folder/*"
    }]
};
const signature = sut.sign(policy);

const cookies = signature.toCookies();
const signedUrl = signature.addToUrl("http://test.com/folder/file");

In typescript the Policy type will help you to write a correct policy.

Extra utils

If you prefer to set the key via a single line string, rather than a PEM, there's pemFormat():

import { pemFormat } from "cfsign/lib/keyUtils";
const signer = new Signer({
    id: "APKAXXXXXXXXXXXXXXXX", 
    privateKeyPem: pemFormat("XXXX")
});

Refer to typedocs or tests for further details and examples.