-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(object): Allow for presigning upload url #244
feat(object): Allow for presigning upload url #244
Conversation
@MagnusHJensen great work with this PR! |
This week i'll spend sometime to check it out 👍 |
Sounds great @fenos |
Hello @MagnusHJensen sorry for the delay, I was away during the Christmas holiday. I had time to look over the PR and generally looks good. Practically, we think that whoever has the right to upload to a specific path it should be able to generate the upload URL for that location. In order for us to be able to 'test' if a user has the right permission to create a row is to create a record and somehow roll it back within a transaction |
try { | ||
found = await this.findObject(objectName) | ||
} catch (e) { | ||
// Don't do anything, since it will throw an error if the object doesn't exist (but that is what we want.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not going to work reliably,
If we have certain RLS policies defined this might return 404 because we don't have access to the file not because it doesn't exist
We might want to run this query asSuperUser
to make sure the file is not present at this location.
However, when doing this as superUser we don't have any protection on who can create these upload URL.
As a second step, after the file existence, we need to check if the user has the CREATE RLS permission in order to generate the upload url
…ature/signed-upload-url
Hi @fenos |
Sorry to be annoying with a +1 that doesn't contribute anything but... I hope this makes it in, it would be a fantastic feature. |
Closing in favour of #81 |
What kind of change does this PR introduce?
Introduces a new feature to sign an upload url, which allows for uploading straight to the bucket without credentials.
What is the current behavior?
It's currently not possible to upload a file from the client side, without routing it through your own server, which is not the preferred way.
What is the new behavior?
You can now presign a upload url with your service token, and give the url to any client which can then upload the file directly.
Additional context
Closes #81
Add any other context or screenshots.
First PR for the Storage API