S3 provider with private ACL continues to request items after signed URL has expired

[timbarclay]

Bug report

Required System information

• Node.js version: 16
• NPM version: 8.3.1
• Strapi version: 4.10.5
• Database: Postgres
• Operating system: linux (node alpine docker)
• Is your project Javascript or Typescript: Typescript

Describe the bug

The AWS S3 provider plugin appears to use expired pre-signed URLs.

Also the readme is unclear about what the default expiry value is. Within the readme it says variously:

• "Defaults to 15 minutes"
• "The default value is 7 days"

Steps to reproduce the behavior

1. set up the AWS S3 provider plugin with ACL: 'private' and without explicitly setting signedUrlExpires
2. upload an image to the media library
3. insert that image into a rich text block and save it (the image should render correctly in the preview at this point)
4. wait 20 minutes
5. reload the rich text block
6. the inserted image is broken because the presigned url has expired

Expected behavior

On reloading the saved text block, you should still see the inserted image.

Screenshots

A text block with a broken image

The response returned by AWS showing that the url expired after 15 minutes (900 seconds).

Code snippets

plugins.ts

export default ({ env }) => ({
  upload: {
    config: {
      provider: env.bool('IS_LOCAL') ? 'local' : 'aws-s3',
      providerOptions: {
        region: env('AWS_REGION', 'eu-west-2'),
        sslEnabled: true,
        params: {
          Bucket: env('CMS_S3_BUCKET', 'iwsr-test-strapi-media-library'),
          ACL: 'private',
        },
      },
      actionOptions: {
        upload: {
          ServerSideEncryption: 'AES256',
        },
        uploadStream: {
          ServerSideEncryption: 'AES256',
        },
      },
    },
  },
});

[Marc-Roig]

hello! your configuration seems ok. And the issue seems to be with the rich text editor.

And you are completely right, the README gives no clear indication which is the default Expiry time. I will update that asap.

When you import an image into the rich text editor, you are importing the url, the same as if you used any other URL, e.g.
![hero-top-left-image.svg](http://localhost:1337/uploads/my-image.svg)

Once that image is imported, it loses track from which media library entity it came from. And if you change or delete that image in your Media Library, you will probably see a broken link.

Unfortunately, private assets have their authentication headers embedded in the URL, and they have to be recomputed every time.

With this current implementation of the rich text editor, I don't think it is possibble to support this. And the only alternative now would be to add those images in the entity in a media attribute.

[timbarclay]

Thanks so much for replying so quickly. So if I understand correctly, the issue is that the expiring signed URL is generated at the point the rich text item is saved and is never regenerated after that.

So it sounds like I either need to make my assets public or set baseUrl to some other server that I control that can proxy my private assets.

[Marc-Roig]

@timbarclay exactly that, we plan to iterate on the rich text editor, so we will try to add this feature in mid term future (still have to discuss it with the developers in charge of the new iteration).

For now your best bet is what you said yes :) If you used something like cloudfront, you could automatically sign your media assets and set your strapi provider config as public.

For now, as this is more of an enhancement I will close the issue. And also ask , in case it's necessary for you (or any other) to have this functionality, to add it in our Strapi Canny dashboard, so we can keep track of this and prioritize it.

[strapi-bot]

This issue has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/how-to-solve-the-issue-of-expired-pre-signature-paths-for-media-library-images-inserted-in-strapi-rich-text/30814/5

[merkelfleet]

Hey. I'm sorry to reopen this issue. I did not find it in Strapi Canny.