s3upload-coffee-javascript icon indicating copy to clipboard operation
s3upload-coffee-javascript copied to clipboard

Published 20 hours ago verified publisher icon tadruj

Add file size to signed URL request & option to pass back message.

Open mwaterfall opened this issue 11 years ago • 2 comments
trafficstars

Unfortunately I don't have time to properly submit a pull request (plus I'm not familar with coffeescript just yet), but I'd like to make a quick suggestion.

In order for the server to be able to properly restrict the file size being upload, I'd like to suggest that the file's size be added to the query string when fetching the signed url. A parameter such as s3_object_size would be most useful.

Also, now the server has enough info to be able to accept or reject an upload based on mime type and file size, it would be great if it could also return a message to be displayed to the user, indicating perhaps why the file failed to upload. I.e. "File is larger than xMB" or "File must be of type png, jpg, gif".

mwaterfall avatar Dec 05 '13 17:12 mwaterfall

Even if the browser did send the information about file size, it's impossible for the server that signs the request to be sure about it and properly revoke access to uploads out of size range. The browser could be reporting fake file sizes in order to get the request signed.

This is a limitation in using signed requests to Amazon's REST API the way s3upload-coffee-javascript does.

A reliable solution delegates file size checking to Amazon S3 itself. There's documentation instructing how to do that. In summary, the signed request uploading the file directly to S3 includes a policy, which defines the file size range. The policy is itself part of the signed payload, making sure clients can't forge it.

As far as I can tell, there's a gem that implements this approach called s3_direct_upload. You can get a hold of the front-end part of it here.

I believe the following solutions to this issue are possible:

  1. I'm completely wrong in my understanding of how direct uploads to S3 work and I'm missing a possible solution. Please, let me know if that's the case.
  2. We update s3upload-coffee-javascript to make use of the API that includes the policy parameter.
  3. We document s3upload-coffee-javascript warning users about the shortcome of validating file sizes and the billing implications of bandwidth and storage usage if huge files are uploaded.

leafac avatar May 30 '14 18:05 leafac

Noted. Possible good feature.

tadruj avatar Oct 03 '14 08:10 tadruj