storage icon indicating copy to clipboard operation
storage copied to clipboard
Published 3 weeks ago verified publisher icon vercel

Blob access control

Open sakarisson opened this issue 11 months ago • 9 comments

Hey Vercel team, happy new year!

I'm starting on a new project, and I have a need to upload pictures to storage. When going over the blob documentation, I realized that all blobs are publicly accessible.

The options param has a required access field, which can only be set to public. Is there a plan to extend this to have a private alternative?

sakarisson avatar Jan 04 '25 17:01 sakarisson

Hey @sakarisson, yes! We do have plans to have private blobs.

Here's the RFC we're sharing with interested customers, please give us feedback on it based on your usecase as "private" means different patterns for customers, thanks!

Private_Blobs_RFC_for_customer_feedback.pdf

vvo avatar Jan 17 '25 15:01 vvo

I like the Edge Middleware Authorization. It seems convenient for most use cases. Plus it works on Edge functions which is nice. For accessing Blobs on the server it seems a little less convenient but still reasonable (the proposed solution seems pretty easy to wrap in a function).

I don't love Temporary URLs because it feels like it could have edge cases or be misconfigured. It probably isn't a big deal - but the timeout is something everyone will have to think about before using it. I can think of cases where it would be the most useful (temporary downloads).

For my use case I do need to access blobs from the client and rarely from the server (which probably isn't that common, but I do it).

NotNoshy avatar Jan 23 '25 21:01 NotNoshy

Hey @vvo thanks for sticking with this! Confirming use case #2, blob token auth, would meet my application's needs. For audit trail and compliance reasons (no ACLs), signed URLs introduce a slight business risk.

theianzhang avatar Mar 01 '25 09:03 theianzhang

Hey @sakarisson, yes! We do have plans to have private blobs.

Here's the RFC we're sharing with interested customers, please give us feedback on it based on your usecase as "private" means different patterns for customers, thanks!

Private_Blobs_RFC_for_customer_feedback.pdf

any ETA on createPrivateBlobUrl() ?

moshmage avatar May 01 '25 15:05 moshmage

Hi,

I've several features on the wishlist:

  • ability to specify the max file size per upload with pre signed URL (preventing users from uploading files larger than they are permitted)
  • private blobs
  • more metadata on the file upload lifecycle function (such as content type etc) - not sure if this is something I can receive using the HEAD function
  • custom metadata for files

phyziyx avatar May 23 '25 08:05 phyziyx

Hey guys, do you have a status for this? Would LOVE this feature as I'm working with sensitive json data that I simply can't have public. Cheers

JulianJorgensen avatar Jun 13 '25 15:06 JulianJorgensen

whats the ETA on this?

snkashis avatar Jul 18 '25 03:07 snkashis

Hello everyone, I wanted to check if there are any updates or plans regarding this topic. Thank you!

mrestrepoj10 avatar Aug 02 '25 04:08 mrestrepoj10

Man I wish this existed, but I guess we have to stick with the addRandomSuffix for now. it is practically impossible to guess the url but if there was a leak the files would still be unsafe.

FlyingGrasss avatar Aug 14 '25 10:08 FlyingGrasss