-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Handle AWS S3 Re-Authentication via s3.getSignedUrlPromise #30642
fix: Handle AWS S3 Re-Authentication via s3.getSignedUrlPromise #30642
Conversation
AWS credentials have a limited lifespan. If the credentials have expired when you call `s3.getSignedUrl`, the call will fail, although it will eventually succeed after the credentials are refreshed in the background. Calling `s3.getSignedUrlPromise` causes it to wait for the credentials to refresh and then successfully return a signed url.
|
…re-authentication_via_s3.getSignedUrlPromise
Codecov Report
@@ Coverage Diff @@
## develop #30642 +/- ##
===========================================
- Coverage 51.29% 50.82% -0.47%
===========================================
Files 811 805 -6
Lines 15062 15072 +10
Branches 2753 2784 +31
===========================================
- Hits 7726 7661 -65
- Misses 6928 6974 +46
- Partials 408 437 +29
Flags with carried forward coverage won't be shown. Click here to find out more. |
…re-authentication_via_s3.getSignedUrlPromise
…chat.postMessage * 'develop' of github.com:RocketChat/Rocket.Chat: fix: inconsistent behavior when removing subscriptions and inquiries (#30572) fix: Handle AWS S3 Re-Authentication via s3.getSignedUrlPromise (#30642) test: wait for the name update finish (#30663) regression: Restore default limits to community apps (#30611) refactor: Move functions out of `Livechat.js` (#30650) chore: remove license v3 public key envvar (#30646) fix: Read receipts are not created on the first time a user reads a room (#30610) fix: licenses.info endpoint only available for admins (#30644)
AWS credentials have a limited lifespan. If the credentials have expired when you call
s3.getSignedUrl
, the call will fail, although eventually future calls will succeed after the credentials are refreshed in the background. Passing acallback
argument togetSignedUrl
, however, will causes3
to refresh the credentials before continuing on with the callback.Commit 90238b9 (PR #28711) refactored the
callback
-oriented definition ofgetRedirectURL
inapps/meteor/app/file-upload/ufs/AmazonS3/server.ts
to use async/await instead. In the process, the callback argument was dropped, breaking the auto-refreshing of expired authentication tokens, and resulting ins3.getSignedUrl
returning a bogus value.Proposed changes (including videos or screenshots)
We can restore the auto-refreshing of expired authentication tokens by calling the promise-oriented version of getSignedUrl,
s3.getSignedUrlPromise
.Fix auto-refreshing of expired authentication tokens when loading assets from S3.
Further comments
h/t to @rodrigok who brought
s3.getSignedUrlPromise
to my attention