Skip to content

fix(upload): content-api does not return signed urls#26034

Merged
markkaylor merged 3 commits intodevelopfrom
fix/content-api-signed-urls
Apr 17, 2026
Merged

fix(upload): content-api does not return signed urls#26034
markkaylor merged 3 commits intodevelopfrom
fix/content-api-signed-urls

Conversation

@markkaylor
Copy link
Copy Markdown
Contributor

@markkaylor markkaylor commented Apr 15, 2026
edited
Loading

What does it do?

Adds signFileUrls() calls to every method in the content-api upload controller (find, findOne, destroy, updateFileInfo, replaceFile, uploadFiles), signing file URLs
before returning responses. This mirrors the existing pattern in the admin upload controller. Adds an API integration test covering all content-api upload endpoints for both private
and public providers.

Why is it needed?

When using S3 with ACL: "private", the content-api upload endpoints (/api/upload, /api/upload/files, etc.) return unsigned URLs. These URLs are inaccessible (403) because the
bucket is private. The admin controller already signs URLs before responding, but the content-api controller was missing this step entirely.

How to test it?

Configure a Strapi project with the AWS S3 provider (you can use minio) using ACL: "private" (MinIO works as a local substitute). Upload a file via POST /api/upload and verify the response URL
contains X-Amz-Signature query parameters and isUrlSigned: true. Verify the same for GET /api/upload/files and GET /api/upload/files/:id. Confirm that switching to ACL: "public-read" returns plain unsigned URLs as before.

Run the new API test: yarn test:api tests/api/core/upload/content-api/upload-signing.test.api.js

Related issue(s)/PR(s)

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
contributor-docs Ready Ready Preview, Comment Apr 17, 2026 7:15am

Request Review

@dosubot dosubot Bot added pr: fix This PR is fixing a bug source: core:upload Source is core/upload package labels Apr 15, 2026
@trunk-io
Copy link
Copy Markdown

trunk-io Bot commented Apr 15, 2026
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

@markkaylor markkaylor marked this pull request as draft April 16, 2026 07:36
@markkaylor markkaylor added this to the 5.43.0 milestone Apr 16, 2026
@markkaylor markkaylor marked this pull request as ready for review April 16, 2026 14:36
@markkaylor markkaylor requested a review from jhoward1994 April 16, 2026 14:36
@markkaylor
Copy link
Copy Markdown
Contributor Author

markkaylor commented Apr 16, 2026

Detailed test plan on CMS-674

@markkaylor markkaylor self-assigned this Apr 16, 2026
@markkaylor markkaylor merged commit 7f17643 into develop Apr 17, 2026
138 checks passed
@markkaylor markkaylor deleted the fix/content-api-signed-urls branch April 17, 2026 08:17
pwizla pushed a commit to strapi/documentation that referenced this pull request Apr 17, 2026
@github-actions @claude
[Docs self-healing] Document signed URL behavior for S3 private buckets
46f7c42 
Adds documentation for signed URL behavior in the REST API upload endpoints when using AWS S3 with private ACL, addressing strapi/strapi#26034.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@pwizla pwizla mentioned this pull request Apr 17, 2026
Merged
pwizla added a commit to strapi/documentation that referenced this pull request Apr 17, 2026
@pwizla @github-actions @claude
[Docs self-healing] Document signed URL behavior for S3 private bucke…
42b98fe 
…ts (#3067)

Adds documentation for signed URL behavior in the REST API upload endpoints when using AWS S3 with private ACL, addressing strapi/strapi#26034.

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
pwizla added a commit to strapi/documentation that referenced this pull request Apr 17, 2026
@pwizla @github-actions
@claude @actions-user
[Docs self-healing] Document signed URL behavior for S3 private bucke…
ae4de29 
…ts (#3067)

Adds documentation for signed URL behavior in the REST API upload endpoints when using AWS S3 with private ACL, addressing strapi/strapi#26034.

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
pwizla added a commit to strapi/documentation that referenced this pull request Apr 17, 2026
@pwizla @github-actions @claude
[Docs self-healing] Document signed URL behavior for S3 private bucke…
cec1daa 
…ts (#3067) (#3069)

Adds documentation for signed URL behavior in the REST API upload endpoints when using AWS S3 with private ACL, addressing strapi/strapi#26034.

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhoward1994 jhoward1994 jhoward1994 approved these changes

Assignees

@markkaylor markkaylor

Labels

pr: fix This PR is fixing a bug source: core:upload Source is core/upload package

Projects

None yet

Milestone

5.43.0

Development

Successfully merging this pull request may close these issues.

S3 upload urls not signed in response after uploading via REST api

2 participants

@markkaylor @jhoward1994