anomalyco · fwang · Jan 21, 2026 · Mar 24, 2025 · Mar 26, 2025 · Mar 28, 2025
diff --git a/platform/functions/oac-edge-signer/index.ts b/platform/functions/oac-edge-signer/index.ts
@@ -0,0 +1,86 @@
+// Lambda@Edge function for automatic SHA256 header signing
+// This function adds the required x-amz-content-sha256 header for POST/PUT/PATCH requests
+// going to Lambda function URLs with Origin Access Control enabled.
+
+import crypto from "crypto";
+
+interface CloudFrontRequest {
+  method: string;
+  uri: string;
+  body?: {
+    data: string;
+    encoding?: "base64" | "text";
+    inputTruncated?: boolean;
+  };
+  headers: Record<string, Array<{ key: string; value: string }>>;
+}
+
+interface CloudFrontResponse {
+  status: string;
+  statusDescription: string;
+  headers: Record<string, Array<{ key: string; value: string }>>;
+  body: string;
+}
+
+interface CloudFrontEvent {
+  Records: Array<{
+    cf: {
+      request: CloudFrontRequest;
+    };
+  }>;
+}
+
+export async function handler(
+  event: CloudFrontEvent,
+): Promise<CloudFrontRequest | CloudFrontResponse> {
+  const request = event.Records[0].cf.request;
+
+  // Only process requests that need SHA256 signing (methods with body)
+  if (!["POST", "PUT", "PATCH", "DELETE"].includes(request.method)) {
+    return request;
+  }
+
+  // Check if body was truncated (exceeds 1MB Lambda@Edge limit)
+  if (request.body?.inputTruncated) {
+    return {
+      status: "413",
+      statusDescription: "Payload Too Large",
+      headers: {
+        "content-type": [{ key: "Content-Type", value: "application/json" }],
+      },
+      body: JSON.stringify({
+        error:
+          "Request body exceeds 1MB Lambda@Edge limit. Use presigned S3 URLs for large uploads.",
+      }),
+    };
+  }
+
+  try {
+    // Get the request body as raw bytes (never convert to UTF-8 string)
+    const bodyBuffer = request.body?.data
+      ? request.body.encoding === "base64"
+        ? Buffer.from(request.body.data, "base64")
+        : Buffer.from(request.body.data)
+      : Buffer.alloc(0);
+
+    // Compute SHA256 hash of the raw bytes
+    const hash = crypto.createHash("sha256").update(bodyBuffer).digest("hex");
+
+    // Add the x-amz-content-sha256 header in CloudFront format
+    request.headers["x-amz-content-sha256"] = [
+      {
+        key: "x-amz-content-sha256",
+        value: hash,
+      },
+    ];
+
+    console.log(
+      `Added SHA256 header for ${request.method} request to ${request.uri}: ${hash}`,
+    );
+  } catch (error) {
+    console.error("Error computing SHA256 hash:", error);
+    // Continue without the header rather than failing the request
+  }
+
+  return request;
+}
diff --git a/platform/scripts/build.mjs b/platform/scripts/build.mjs
@@ -3,7 +3,7 @@ import fs from "fs/promises";
 
 // Require transpile
 await Promise.all(
-  ["ssr-warmer", "vector-handler"].map((file) =>
+  ["ssr-warmer", "vector-handler", "oac-edge-signer"].map((file) =>
     esbuild.build({
       bundle: true,
       minify: true,

diff --git a/platform/src/components/aws/helpers/arn.ts b/platform/src/components/aws/helpers/arn.ts
@@ -94,6 +94,30 @@ export function parseRoleArn(arn: string) {
   return { roleName };
 }
 
+export function parseLambdaEdgeArn(arn: string) {
+  // First validate it's a Lambda function ARN
+  const { functionName } = parseFunctionArn(arn);
+
+  // arn:aws:lambda:region:account-id:function:function-name:version
+  const parts = arn.split(":");
+  const region = parts[3];
+  const version = parts[7];
+
+  if (region !== "us-east-1") {
+    throw new VisibleError(
+      `Lambda@Edge functions must be deployed in us-east-1 region. Got region: ${region}`,
+    );
+  }
+
+  if (!version || version === "$LATEST") {
+    throw new VisibleError(
+      `Lambda@Edge requires a qualified ARN (with version). Got: ${arn}`,
+    );
+  }
+
+  return { functionName, region, version };
+}
+
 export function parseElasticSearch(arn: string) {
   // arn:aws:es:region:account-id:domain/domain-name
   const tableName = arn.split("/")[1];

diff --git a/platform/src/components/aws/router.ts b/platform/src/components/aws/router.ts
@@ -2010,7 +2010,7 @@ async function routeSite(kvNamespace, metadata) {
 
   // Route to image optimizer
   if (metadata.image && baselessUri.startsWith(metadata.image.route)) {
-    setUrlOrigin(metadata.image.host);
+    setUrlOrigin(metadata.image.host, metadata.image.originAccessControlConfig ? { originAccessControlConfig: metadata.image.originAccessControlConfig } : undefined);
     return;
   }
 
@@ -2149,6 +2149,9 @@ function setUrlOrigin(urlHost, override) {
   if (override.timeouts) {
     origin.timeouts = override.timeouts;
   }
+  if (override.originAccessControlConfig) {
+    origin.originAccessControlConfig = override.originAccessControlConfig;
+  }
   cf.updateRequestOrigin(origin);
 }
 
@@ -2187,6 +2190,12 @@ export type KV_SITE_METADATA = {
   image?: {
     host: string;
     route: string;
+    originAccessControlConfig?: {
+      enabled: boolean;
+      signingBehavior: string;
+      signingProtocol: string;
+      originType: string;
+    };
   };
   servers?: [string, number, number][];
   origin?: {