From 626c5792017a2dd3e1174a6a00f5f7874145f9f0 Mon Sep 17 00:00:00 2001
From: Leif Henriksen <leif.henriksenlarez@scality.com>
Date: Mon, 9 Feb 2026 17:14:05 +0100
Subject: [PATCH 1/2] ARSN-551: don't require x-amz-content-sha256 header to be
 signed

---
 lib/auth/v4/validateInputs.ts              |  6 ++++++
 tests/unit/auth/v4/headerAuthCheck.spec.js | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/lib/auth/v4/validateInputs.ts b/lib/auth/v4/validateInputs.ts
index e2f031202..6f7c6ecc4 100644
--- a/lib/auth/v4/validateInputs.ts
+++ b/lib/auth/v4/validateInputs.ts
@@ -196,6 +196,12 @@ export function areSignedHeadersComplete(signedHeaders: string, allHeaders: Head
     }
     const headers = Object.keys(allHeaders);
     for (let i = 0; i < headers.length; i++) {
+        // We skip x-amz-content-sha256 because in practice AWS does not require that it be present
+        // in the list of signed headers.
+        if (headers[i] === 'x-amz-content-sha256') {
+            continue;
+        }
+
         if ((headers[i].startsWith('x-amz-')
         || headers[i].startsWith('x-scal-'))
         && signedHeadersList.indexOf(headers[i]) === -1) {
diff --git a/tests/unit/auth/v4/headerAuthCheck.spec.js b/tests/unit/auth/v4/headerAuthCheck.spec.js
index 8cab2a7a1..a86634ec8 100644
--- a/tests/unit/auth/v4/headerAuthCheck.spec.js
+++ b/tests/unit/auth/v4/headerAuthCheck.spec.js
@@ -91,6 +91,24 @@ describe('v4 headerAuthCheck', () => {
         done();
     });
 
+    it('should NOT return error if x-amz-content-sha256 is not included ' +
+        'as signed header but is in request', done => {
+        // x-amz-content-sha256 is an exception - AWS does not require it
+        // to be in the signed headers list
+        const clock = fakeTimers.install({ now: 1454962445000 });
+        const alteredRequest = createAlteredRequest({
+            authorization: 'AWS4-HMAC-SHA256 Credential=accessKey1/20160208' +
+                '/us-east-1/s3/aws4_request, SignedHeaders=host;' +
+                'x-amz-date, Signature=abed924c06abf8772c670064d22eacd6ccb85c06' +
+                'befa15f4a789b0bae19307bc',
+            'x-amz-content-sha256': xAMZcontentSha256 },
+            'headers', request, headers);
+        const res = headerAuthCheck(alteredRequest, log);
+        clock.uninstall();
+        assert.strictEqual(res.err, null);
+        done();
+    });
+
     it('should return error if an x-scal header is not included as signed ' +
         'header but is in request', done => {
         const alteredRequest = createAlteredRequest({

From af610f2510084a6e12a7c4c38b85eeb24a0e468c Mon Sep 17 00:00:00 2001
From: Leif Henriksen <leif.henriksenlarez@scality.com>
Date: Mon, 9 Feb 2026 17:29:23 +0100
Subject: [PATCH 2/2] ARSN-551: bump package.json to 8.2.45

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 192b31ad5..d8c1e1ec4 100644
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
   "engines": {
     "node": ">=20"
   },
-  "version": "8.2.44",
+  "version": "8.2.45",
   "description": "Common utilities for the S3 project components",
   "main": "build/index.js",
   "repository": {