fix: set success_action_status on S3 presigned POST to fix CORS on Ceph-based providers

[BhagyaAmarasinghe]

What does this PR do?

Fixes #7086

• Adds success_action_status: "201" to the S3 presigned POST fields so the storage provider returns 201 Created instead of the default 204 No Content
• Fixes file uploads failing on Ceph/RGW-based S3 providers (e.g. Hetzner Object Storage) where the 204 response omits CORS headers, causing the browser to block the response and report upload failure even though the file was successfully written to the bucket

Root Cause

When uploading files via presigned POST, S3-compatible providers default to returning 204 No Content. Ceph/RGW-based providers (like Hetzner Object Storage) do not include Access-Control-Allow-Origin headers on 204 responses, even when CORS is properly configured on the bucket. The browser blocks the response, fetch() throws a TypeError: Failed to fetch, and the app reports "Upload failed" despite the file being successfully stored.

Setting success_action_status: "201" instructs the provider to return 201 Created instead, which correctly includes CORS headers. This is also the recommended approach in the AWS S3 POST documentation. The change is backward-compatible — Response.ok covers both 200-299, so AWS S3, MinIO, and other providers continue to work.

How should this be tested?

• Unit tests updated and passing (pnpm test --filter=@formbricks/storage — 64/64 pass)
• Verified against local MinIO: response changes from 204 No Content → 201 Created
• Verify on a Ceph/RGW-based provider (Hetzner Object Storage) that CORS error no longer occurs and uploaded images appear in the UI

Checklist

Required

• Filled out the "How to test" section in this PR
• Read How we Code at Formbricks
• Self-reviewed my own code
• Commented on my code in hard-to-understand bits
• Ran pnpm build
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues
• First PR at Formbricks? Please sign the CLA! Without it we wont be able to merge it 🙏

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Formbricks Docs if changes were necessary

[coderabbitai]

Walkthrough

The getSignedUploadUrl function in the storage service has been updated to include success_action_status: "201" in the PresignedPost Fields object. This replaces a previously commented Content-Encoding: "base64" placeholder. The change modifies the expected HTTP status code for successful uploads. The test file has been updated accordingly to reflect this new behavior in the test assertions. No other fields, logic, or public function signatures are affected by this modification.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding success_action_status to S3 presigned POST to fix CORS issues with Ceph-based providers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description comprehensively covers what the change does, why it's needed (with root cause analysis), testing instructions, and all required checklist items are marked complete.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[mattinannt]

looks good; thank you for the fix :-)

[pandeymangg]

LGTM! 🚀