I've setup a private composer repository via gem-fury, but when I'm trying to download one of the packages (using composer-require) I receive the following error:
[Composer\Downloader\TransportException]
The 'https://s3.amazonaws.com:443/gemfury/gems/[SOME_STRING]/[VENDOR][PACKAGE]_[VERSION]_zip?Signature=SIGNATURE&Expires=1481739039&AWSAccessKeyId=[AWS_ACCESS_KEY]' URL could not be accessed: HTTP/1.1 400 Bad Request
P.S. I know that the authentication worked because composer does receive the package.json file (the latest version is recognized)
Any help would be appretiated
Short answer: You may see this issue if you are using
auth.json
to store your Gemfury token. At this time, the only way to work around this issue is to embed the token directly into your repository URL incomposer.json
.Long answer: The reason it doesn't work is due to a bug in Composer CLI. In that particular use-case, when Composer acts on Gemfury's redirect from your private
php.fury.io
repo to a secure S3 download, it includes theAuthorization
header with your Gemfury token. This header conflicts with S3's authentication model, and results in a400 Bad Request
response.Resending
Authorization
header on a redirect from one host to another is a fairly significant security concern, and I recommend you reset your Gemfury token and stop usingauth.json
authentication method until this issue is resolved.