Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Handle AWS S3 Re-Authentication via s3.getSignedUrlPromise #30642

Conversation

nmagedman
Copy link
Contributor

@nmagedman nmagedman commented Oct 16, 2023

AWS credentials have a limited lifespan. If the credentials have expired when you call s3.getSignedUrl, the call will fail, although eventually future calls will succeed after the credentials are refreshed in the background. Passing a callback argument to getSignedUrl, however, will cause s3 to refresh the credentials before continuing on with the callback.

Commit 90238b9 (PR #28711) refactored the callback-oriented definition of getRedirectURL in apps/meteor/app/file-upload/ufs/AmazonS3/server.ts to use async/await instead. In the process, the callback argument was dropped, breaking the auto-refreshing of expired authentication tokens, and resulting in s3.getSignedUrl returning a bogus value.

Proposed changes (including videos or screenshots)

We can restore the auto-refreshing of expired authentication tokens by calling the promise-oriented version of getSignedUrl, s3.getSignedUrlPromise.

Fix auto-refreshing of expired authentication tokens when loading assets from S3.

Further comments

h/t to @rodrigok who brought s3.getSignedUrlPromise to my attention

AWS credentials have a limited lifespan.  If the credentials
have expired when you call `s3.getSignedUrl`, the call will fail,
although it will eventually succeed after the credentials are
refreshed in the background.

Calling `s3.getSignedUrlPromise` causes it to wait for the
credentials to refresh and then successfully return a signed url.
@changeset-bot
Copy link

changeset-bot bot commented Oct 16, 2023

⚠️ No Changeset found

Latest commit: 51918cb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

…re-authentication_via_s3.getSignedUrlPromise
@codecov
Copy link

codecov bot commented Oct 16, 2023

Codecov Report

Merging #30642 (51918cb) into develop (ff2263a) will decrease coverage by 0.47%.
Report is 1 commits behind head on develop.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop   #30642      +/-   ##
===========================================
- Coverage    51.29%   50.82%   -0.47%     
===========================================
  Files          811      805       -6     
  Lines        15062    15072      +10     
  Branches      2753     2784      +31     
===========================================
- Hits          7726     7661      -65     
- Misses        6928     6974      +46     
- Partials       408      437      +29     
Flag Coverage Δ
e2e 48.06% <ø> (-0.50%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@rodrigok rodrigok added this to the 6.5.0 milestone Oct 17, 2023
@dionisio-bot dionisio-bot bot added the stat: ready to merge PR tested and approved waiting for merge label Oct 17, 2023
…re-authentication_via_s3.getSignedUrlPromise
@dionisio-bot dionisio-bot bot removed the stat: ready to merge PR tested and approved waiting for merge label Oct 17, 2023
@sampaiodiego sampaiodiego merged commit 049b921 into RocketChat:develop Oct 18, 2023
40 of 41 checks passed
gabriellsh added a commit that referenced this pull request Oct 18, 2023
…chat.postMessage

* 'develop' of github.com:RocketChat/Rocket.Chat:
  fix: inconsistent behavior when removing subscriptions and inquiries (#30572)
  fix: Handle AWS S3 Re-Authentication via s3.getSignedUrlPromise (#30642)
  test: wait for the name update finish (#30663)
  regression: Restore default limits to community apps (#30611)
  refactor: Move functions out of `Livechat.js` (#30650)
  chore: remove license v3 public key envvar (#30646)
  fix: Read receipts are not created on the first time a user reads a room (#30610)
  fix: licenses.info endpoint only available for admins (#30644)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants