memos icon indicating copy to clipboard operation
memos copied to clipboard

Published 20 hours ago verified publisher icon usememos

Unable to Access Storage Files in a Private Bucket

Open MiracleXYZ opened this issue 1 year ago • 9 comments

Issue description

When setting up R2 object storage using the instructions provided in this document without specifying an r2.dev custom prefix, I am unable to access the storage file. Attempting to open the file in a new tab results in the following error message:

<Error>
  <Code>InvalidArgument</Code>
  <Message>Invalid Argument: Authorization</Message>
</Error>

However, after setting an r2.dev prefix, my photos preview correctly. It is worth noting that r2.dev is a "managed public access" feature, which is not recommended for production environments (as noted in this document).

To ensure safe access to storage files in production environments, we recommend using pre-signed URLs. Are there any plans to support pre-signed URL access in the future?

Steps to reproduce

  1. Follow the instructions provided in this document to set up R2 storage.
  2. Upload a file to the storage.
  3. Attempt to preview the file.

Screenshots or additional context

None at the moment.

MiracleXYZ avatar Feb 27 '23 16:02 MiracleXYZ

That seems too convoluted dude

AtrFlcia avatar Feb 27 '23 18:02 AtrFlcia

We store the URLs of S3 resources in the database as external links, r2.dev or a custom domain name is enough.

Zeng1998 avatar Feb 28 '23 01:02 Zeng1998

Something new: After the latest commit (#1190), newly uploaded files have the original URL as the external link, instead of using the custom (e.g. r2.dev) URL prefix. This issue is causing problems with accessing the files on the custom domain.

Turned this into a separate issue #1248

MiracleXYZ avatar Feb 28 '23 13:02 MiracleXYZ

We store the URLs of S3 resources in the database as external links, r2.dev or a custom domain name is enough.

Using pre-signed URLs would provide an expiration period for access to stored data, adding an additional layer of security and control. While r2.dev links may be convenient for temporary public access, they do not offer the same level of security and control as pre-signed URLs.

MiracleXYZ avatar Feb 28 '23 13:02 MiracleXYZ

I will try to submit a pull request to implement pre-signed URLs when I have the time...

MiracleXYZ avatar Feb 28 '23 13:02 MiracleXYZ

I followed the instructions for R2 twice on the day 0.11.0 was released. For both, the result was that I was not able to access the resource once successfully uploaded to R2.

+1 from me.

crowley-mark avatar Mar 02 '23 20:03 crowley-mark

+1 It is important to read files in private storage buckets through programs instead of changing the bucket to public. This can avoid important files from being leaked.

fierceX avatar Mar 13 '23 06:03 fierceX

I support this request. We really need presigned url support, otherwise we have to leak all our personal Images attached to our diary entries into the world! 😱

bjesuiter avatar Nov 18 '23 00:11 bjesuiter

I recently found that all files in third-party storage (s3) are set to be publicly accessible. It is dangerous to leak some files that users might not want to public.

ertuil avatar Dec 18 '23 07:12 ertuil