fix(storage-*): simplify key handling for signed urls and composite prefixes (#16291)

## Summary

This PR primarily fixes inconsistent storage key and prefix behavior
across adapters and client upload flows. The main goal is to make signed
URL generation, object lookup/delete, and client upload path handling
behave the same way for S3, GCS, Azure, R2, and Vercel Blob, especially
when composite prefixes are enabled.

## Fixes

This change fixes prefix/key mismatch issues by standardizing how
adapters derive object keys, and resolves edge cases where
client-uploaded files could diverge from server-side prefix/filename
semantics. It also fixes GCS URL generation behavior by preserving
canonical encoded public URLs instead of decoding them.

## Additional cleanup

As part of the fix work, getFileKey was expanded to return normalized
key components so adapters can consume one shared source of truth rather
than rebuilding path logic in multiple places. This reduces duplication
and makes future storage fixes safer.

## Validation

Composite-prefix client upload coverage was added for Vercel Blob to
protect the fixed behavior and prevent regressions in key/prefix
handling.

Author: JarrodMFlesch

packages/plugin-cloud-storage/src/utilities/getFileKey.spec.ts

@@ -10,7 +10,12 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: false,
       })
-      expect(result).toBe('document/test.png')
+      expect(result).toEqual({
+        fileKey: 'document/test.png',
+        sanitizedCollectionPrefix: 'collection',
+        sanitizedDocPrefix: 'document',
+        sanitizedFilename: 'test.png',
+      })
     })
 
     it('should fallback to collectionPrefix when docPrefix is empty', () => {
@@ -20,7 +25,12 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: false,
       })
-      expect(result).toBe('collection/test.png')
+      expect(result).toEqual({
+        fileKey: 'collection/test.png',
+        sanitizedCollectionPrefix: 'collection',
+        sanitizedDocPrefix: '',
+        sanitizedFilename: 'test.png',
+      })
     })
 
     it('should fallback to collectionPrefix when docPrefix is undefined', () => {
@@ -29,15 +39,25 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: false,
       })
-      expect(result).toBe('collection/test.png')
+      expect(result).toEqual({
+        fileKey: 'collection/test.png',
+        sanitizedCollectionPrefix: 'collection',
+        sanitizedDocPrefix: '',
+        sanitizedFilename: 'test.png',
+      })
     })
 
     it('should return only filename when both prefixes are empty', () => {
       const result = getFileKey({
         filename: 'test.png',
         useCompositePrefixes: false,
       })
-      expect(result).toBe('test.png')
+      expect(result).toEqual({
+        fileKey: 'test.png',
+        sanitizedCollectionPrefix: '',
+        sanitizedDocPrefix: '',
+        sanitizedFilename: 'test.png',
+      })
     })
   })
 
@@ -49,7 +69,12 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: true,
       })
-      expect(result).toBe('collection/document/test.png')
+      expect(result).toEqual({
+        fileKey: 'collection/document/test.png',
+        sanitizedCollectionPrefix: 'collection',
+        sanitizedDocPrefix: 'document',
+        sanitizedFilename: 'test.png',
+      })
     })
 
     it('should work with only collectionPrefix', () => {
@@ -58,7 +83,12 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: true,
       })
-      expect(result).toBe('collection/test.png')
+      expect(result).toEqual({
+        fileKey: 'collection/test.png',
+        sanitizedCollectionPrefix: 'collection',
+        sanitizedDocPrefix: '',
+        sanitizedFilename: 'test.png',
+      })
     })
 
     it('should work with only docPrefix', () => {
@@ -67,15 +97,25 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: true,
       })
-      expect(result).toBe('document/test.png')
+      expect(result).toEqual({
+        fileKey: 'document/test.png',
+        sanitizedCollectionPrefix: '',
+        sanitizedDocPrefix: 'document',
+        sanitizedFilename: 'test.png',
+      })
     })
 
     it('should return only filename when both prefixes are empty', () => {
       const result = getFileKey({
         filename: 'test.png',
         useCompositePrefixes: true,
       })
-      expect(result).toBe('test.png')
+      expect(result).toEqual({
+        fileKey: 'test.png',
+        sanitizedCollectionPrefix: '',
+        sanitizedDocPrefix: '',
+        sanitizedFilename: 'test.png',
+      })
     })
   })
 
@@ -86,8 +126,13 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: false,
       })
-      expect(result).toBe('etc/test.png')
-      expect(result).not.toContain('..')
+      expect(result).toEqual({
+        fileKey: 'etc/test.png',
+        sanitizedCollectionPrefix: 'etc',
+        sanitizedDocPrefix: '',
+        sanitizedFilename: 'test.png',
+      })
+      expect(result.fileKey).not.toContain('..')
     })
 
     it('should remove path traversal segments from docPrefix', () => {
@@ -96,8 +141,13 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: false,
       })
-      expect(result).toBe('a/outside/test.png')
-      expect(result).not.toContain('..')
+      expect(result).toEqual({
+        fileKey: 'a/outside/test.png',
+        sanitizedCollectionPrefix: '',
+        sanitizedDocPrefix: 'a/outside',
+        sanitizedFilename: 'test.png',
+      })
+      expect(result.fileKey).not.toContain('..')
     })
 
     it('should remove control characters from prefixes', () => {
@@ -106,8 +156,13 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: false,
       })
-      expect(result).toBe('testprefix/test.png')
-      expect(result).not.toMatch(/[\x00-\x1f]/)
+      expect(result).toEqual({
+        fileKey: 'testprefix/test.png',
+        sanitizedCollectionPrefix: 'testprefix',
+        sanitizedDocPrefix: '',
+        sanitizedFilename: 'test.png',
+      })
+      expect(result.fileKey).not.toMatch(/[\x00-\x1f]/)
     })
 
     it('should sanitize both prefixes in composite mode', () => {
@@ -117,8 +172,13 @@ describe('getFileKey', () => {
         filename: 'test.png',
         useCompositePrefixes: true,
       })
-      expect(result).toBe('collection/doc/test.png')
-      expect(result).not.toContain('..')
+      expect(result).toEqual({
+        fileKey: 'collection/doc/test.png',
+        sanitizedCollectionPrefix: 'collection',
+        sanitizedDocPrefix: 'doc',
+        sanitizedFilename: 'test.png',
+      })
+      expect(result.fileKey).not.toContain('..')
     })
   })
 })

packages/plugin-cloud-storage/src/utilities/getFileKey.ts

@@ -1,4 +1,5 @@
 import path from 'path'
+import { sanitizeFilename } from 'payload/shared'
 
 import { sanitizePrefix } from './sanitizePrefix.js'
 
@@ -9,6 +10,13 @@ type GetFileKeyArgs = {
   useCompositePrefixes?: boolean
 }
 
+type GetFileKeyResult = {
+  fileKey: string
+  sanitizedCollectionPrefix: string
+  sanitizedDocPrefix: string
+  sanitizedFilename: string
+}
+
 /**
  * Computes the file key (path) for storage.
  *
@@ -21,13 +29,19 @@ export function getFileKey({
   docPrefix,
   filename,
   useCompositePrefixes = false,
-}: GetFileKeyArgs): string {
+}: GetFileKeyArgs): GetFileKeyResult {
   const safeCollectionPrefix = sanitizePrefix(collectionPrefix || '')
   const safeDocPrefix = sanitizePrefix(docPrefix || '')
+  const safeFilename = sanitizeFilename(filename)
 
-  if (useCompositePrefixes) {
-    return path.posix.join(safeCollectionPrefix, safeDocPrefix, filename)
-  }
+  const fileKey = useCompositePrefixes
+    ? path.posix.join(safeCollectionPrefix, safeDocPrefix, safeFilename)
+    : path.posix.join(safeDocPrefix || safeCollectionPrefix, safeFilename)
 
-  return path.posix.join(safeDocPrefix || safeCollectionPrefix, filename)
+  return {
+    fileKey,
+    sanitizedCollectionPrefix: safeCollectionPrefix,
+    sanitizedDocPrefix: safeDocPrefix,
+    sanitizedFilename: safeFilename,
+  }
 }

packages/plugin-cloud-storage/src/utilities/initClientUploads.ts

@@ -74,23 +74,23 @@ export const initClientUploads = <ExtraProps extends Record<string, unknown>, T>
   for (const collectionSlug in collections) {
     const collection = collections[collectionSlug]
 
-    let prefix: string | undefined
+    let collectionPrefix: string | undefined
 
     if (
       collection &&
       typeof collection === 'object' &&
       'prefix' in collection &&
       typeof collection.prefix === 'string'
     ) {
-      prefix = collection.prefix
+      collectionPrefix = collection.prefix
     }
 
     config.admin.components.providers.push({
       clientProps: {
         collectionSlug,
         enabled,
         extra: extraClientHandlerProps ? extraClientHandlerProps(collection!) : undefined,
-        prefix,
+        prefix: collectionPrefix,
         serverHandlerPath,
       },
       path: clientHandler,

packages/storage-azure/src/client/AzureClientUploadHandler.ts

@@ -3,7 +3,7 @@ import { createClientUploadHandler } from '@payloadcms/plugin-cloud-storage/clie
 import { formatAdminURL } from 'payload/shared'
 
 export const AzureClientUploadHandler = createClientUploadHandler({
-  handler: async ({ apiRoute, collectionSlug, file, prefix, serverHandlerPath, serverURL }) => {
+  handler: async ({ apiRoute, collectionSlug, docPrefix, file, serverHandlerPath, serverURL }) => {
     const endpointRoute = formatAdminURL({
       apiRoute,
       path: serverHandlerPath,
@@ -12,14 +12,16 @@ export const AzureClientUploadHandler = createClientUploadHandler({
     const response = await fetch(endpointRoute, {
       body: JSON.stringify({
         collectionSlug,
+        docPrefix,
         filename: file.name,
         mimeType: file.type,
       }),
       credentials: 'include',
       method: 'POST',
     })
 
-    const { url } = (await response.json()) as {
+    const { docPrefix: sanitizedDocPrefix, url } = (await response.json()) as {
+      docPrefix: string
       url: string
     }
 
@@ -34,6 +36,6 @@ export const AzureClientUploadHandler = createClientUploadHandler({
       method: 'PUT',
     })
 
-    return { prefix }
+    return { prefix: sanitizedDocPrefix }
   },
 })

packages/storage-azure/src/deleteFile.ts

@@ -17,7 +17,7 @@ export async function deleteFile({
   filename,
   useCompositePrefixes = false,
 }: DeleteArgs): Promise<void> {
-  const fileKey = getFileKey({
+  const { fileKey } = getFileKey({
     collectionPrefix,
     docPrefix,
     filename,

packages/storage-azure/src/generateSignedURL.ts

@@ -3,9 +3,8 @@ import type { ClientUploadsAccess } from '@payloadcms/plugin-cloud-storage/types
 import type { PayloadHandler } from 'payload'
 
 import { BlobSASPermissions, generateBlobSASQueryParameters } from '@azure/storage-blob'
-import path from 'path'
+import { getFileKey } from '@payloadcms/plugin-cloud-storage/utilities'
 import { APIError, Forbidden } from 'payload'
-import { sanitizeFilename } from 'payload/shared'
 
 import type { AzureStorageOptions } from './index.js'
 
@@ -14,6 +13,7 @@ interface Args {
   collections: AzureStorageOptions['collections']
   containerName: string
   getStorageClient: () => ContainerClient
+  useCompositePrefixes?: boolean
 }
 
 const defaultAccess: Args['access'] = ({ req }) => !!req.user
@@ -23,31 +23,38 @@ export const getGenerateSignedURLHandler = ({
   collections,
   containerName,
   getStorageClient,
+  useCompositePrefixes = false,
 }: Args): PayloadHandler => {
   return async (req) => {
     if (!req.json) {
       throw new APIError('Unreachable')
     }
 
-    const { collectionSlug, filename, mimeType } = (await req.json()) as {
+    const { collectionSlug, docPrefix, filename, mimeType } = (await req.json()) as {
       collectionSlug: string
+      docPrefix?: string
       filename: string
       mimeType: string
     }
 
-    const collectionS3Config = collections[collectionSlug]
-    if (!collectionS3Config) {
-      throw new APIError(`Collection ${collectionSlug} was not found in S3 options`)
+    const collectionStorageConfig = collections[collectionSlug]
+    if (!collectionStorageConfig) {
+      throw new APIError(`Collection ${collectionSlug} was not found in Azure storage options`)
     }
 
-    const prefix = (typeof collectionS3Config === 'object' && collectionS3Config.prefix) || ''
+    const collectionPrefix =
+      (typeof collectionStorageConfig === 'object' && collectionStorageConfig.prefix) || ''
 
     if (!(await access({ collectionSlug, req }))) {
       throw new Forbidden()
     }
 
-    const sanitizedFilename = sanitizeFilename(filename)
-    const fileKey = path.posix.join(prefix, sanitizedFilename)
+    const { fileKey, sanitizedDocPrefix } = getFileKey({
+      collectionPrefix,
+      docPrefix: docPrefix || '',
+      filename,
+      useCompositePrefixes,
+    })
 
     const blobClient = getStorageClient().getBlobClient(fileKey)
 
@@ -63,6 +70,9 @@ export const getGenerateSignedURLHandler = ({
       getStorageClient().credential as StorageSharedKeyCredential,
     )
 
-    return Response.json({ url: `${blobClient.url}?${sasToken.toString()}` })
+    return Response.json({
+      docPrefix: sanitizedDocPrefix,
+      url: `${blobClient.url}?${sasToken.toString()}`,
+    })
   }
 }

packages/storage-azure/src/generateURL.ts

@@ -17,7 +17,7 @@ export function generateURL({
   prefix,
   useCompositePrefixes = false,
 }: GenerateURLArgs): string {
-  const fileKey = getFileKey({
+  const { fileKey } = getFileKey({
     collectionPrefix,
     docPrefix: prefix,
     filename,