feat(object): Allow for presigning upload url #244
Conversation
|
@MagnusHJensen great work with this PR! |
|
This week i'll spend sometime to check it out 👍 |
|
Sounds great @fenos |
|
Hello @MagnusHJensen sorry for the delay, I was away during the Christmas holiday. I had time to look over the PR and generally looks good. Practically, we think that whoever has the right to upload to a specific path it should be able to generate the upload URL for that location. In order for us to be able to 'test' if a user has the right permission to create a row is to create a record and somehow roll it back within a transaction |
| try { | ||
| found = await this.findObject(objectName) | ||
| } catch (e) { | ||
| // Don't do anything, since it will throw an error if the object doesn't exist (but that is what we want.) |
There was a problem hiding this comment.
This is not going to work reliably,
If we have certain RLS policies defined this might return 404 because we don't have access to the file not because it doesn't exist
We might want to run this query asSuperUser to make sure the file is not present at this location.
However, when doing this as superUser we don't have any protection on who can create these upload URL.
As a second step, after the file existence, we need to check if the user has the CREATE RLS permission in order to generate the upload url
…ature/signed-upload-url
|
Hi @fenos |
|
Sorry to be annoying with a +1 that doesn't contribute anything but... I hope this makes it in, it would be a fantastic feature. |
|
Closing in favour of #81 |
What kind of change does this PR introduce?
Introduces a new feature to sign an upload url, which allows for uploading straight to the bucket without credentials.
What is the current behavior?
It's currently not possible to upload a file from the client side, without routing it through your own server, which is not the preferred way.
What is the new behavior?
You can now presign a upload url with your service token, and give the url to any client which can then upload the file directly.
Additional context
Closes #81
Add any other context or screenshots.
First PR for the Storage API