- suggestion (bug_risk): Canonical header trimming doesn’t fully match Azure’s normalization rules.
packages/cellix/service-blob-storage/src/auth-header-generator.ts
The spec requires trimming leading/trailing whitespace on header values and collapsing sequential spaces into a single space. This implementation only uses trimEnd() on the name and trimStart() on the value, and doesn’t normalize internal whitespace, which can make signatures fragile if callers pass in preformatted headers. Consider using trim() on both the header name and value, and optionally normalizing internal runs of spaces in values to fully match Azure’s rules.
Suggested implementation:
* 5. Trim leading/trailing whitespace on header names and values
* 6. Collapse sequential whitespace in values to a single space
* 7. Append newline to each
*/
// Format as "name:value\n"
return unique
.map(([name, value]) => {
const normalizedName = name.trim();
const normalizedValue = value
.trim()
.replace(/\s+/g, ' ');
return `${normalizedName}:${normalizedValue}\n`;
})
.join('');
- question (bug_risk): Including blob-type and content-length for GET requests may be stricter than necessary.
packages/cellix/service-blob-storage/src/client-upload-signer.ts
private createAuthorizationHeader(request: CreateBlobAuthorizationHeaderRequest, method: 'PUT' | 'GET'): BlobUploadAuthorizationHeader {
const url = this.buildBlobUrl(request.containerName, request.blobName);
// Build headers dict for signing
const headers: Record<string, string> = {
Because createAuthorizationHeader always includes x-ms-blob-type, Content-Type, and Content-Length (even for GET), consumers must send these exact headers on their GET requests or the signature will not match. Consider either branching on HTTP method so GET signatures only cover the minimal required headers, or clearly documenting that clients must include these same headers on GET requests for the auth to succeed.
packages/cellix/service-blob-storage/src/auth-header-generator.ts
The spec requires trimming leading/trailing whitespace on header values and collapsing sequential spaces into a single space. This implementation only uses trimEnd() on the name and trimStart() on the value, and doesn’t normalize internal whitespace, which can make signatures fragile if callers pass in preformatted headers. Consider using trim() on both the header name and value, and optionally normalizing internal runs of spaces in values to fully match Azure’s rules.
Suggested implementation:
packages/cellix/service-blob-storage/src/client-upload-signer.ts
Because createAuthorizationHeader always includes x-ms-blob-type, Content-Type, and Content-Length (even for GET), consumers must send these exact headers on their GET requests or the signature will not match. Consider either branching on HTTP method so GET signatures only cover the minimal required headers, or clearly documenting that clients must include these same headers on GET requests for the auth to succeed.