🐛 fix: make S3 upload ACL setting optional (lobehub#3464)

* feat: make setting ACL optional * docs: add `S3_SET_ACL` description
diegopizzocaro · Aug 15, 2024 · 53a0b47 · 53a0b47
1 parent cf90dba
commit 53a0b47
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/docs/self-hosting/server-database.mdx b/docs/self-hosting/server-database.mdx
@@ -144,6 +144,9 @@ S3_ENDPOINT=https://0b33a03b5c993fd2f453379dc36558e5.r2.cloudflarestorage.com
 
 The name and region of the bucket. `S3_BUCKET` is mandatory for specifying the bucket's name. `S3_REGION` is optional for specifying the bucket's region, generally not required to add, but some service providers may need to configure it.
 
+### `S3_SET_ACL`
+Whether to set the ACL to `public-read` when uploading files. This option is enabled by default. If the service provider does not support setting individual ACLs for files (i.e., all files inherit the bucket's ACL), enabling this option may result in a request error. You can disable it by setting `S3_SET_ACL` to `0`.
+
 ### `NEXT_PUBLIC_S3_DOMAIN`
 
 The public access domain of the bucket, used to access files in the bucket. This address needs to be **internet-readable**. The reason is that when OpenAI's GPT-4o and other visual models recognize images, OpenAI will try to download the image link on their servers. Therefore, this link must be publicly accessible. If it is a private link, OpenAI will not be able to access the image and will not be able to recognize the image content properly.

diff --git a/docs/self-hosting/server-database.zh-CN.mdx b/docs/self-hosting/server-database.zh-CN.mdx
@@ -150,6 +150,9 @@ S3_ENDPOINT=https://0b33a03b5c993fd2f453379dc36558e5.r2.cloudflarestorage.com
 
 存储桶的名称和区域，`S3_BUCKET` 是必须的，用于指定存储桶的名称。 `S3_REGION` 是可选的，用于指定存储桶的区域，一般来说不需要添加，但某些服务商则需要配置。
 
+### `S3_SET_ACL`
+是否在上传文件时设置 ACL 为 `public-read`。该选项默认启用。如果服务商不支持为文件设置单独的 ACL（即所有文件继承存储桶的 ACL），启用此选项可能会导致请求错误，将 `S3_SET_ACL` 设置为 `0` 即可关闭。
+
 ### `NEXT_PUBLIC_S3_DOMAIN`
 
 存储桶对外的访问域名，用于访问存储桶中的文件，这个地址需要**允许互联网可读**。 原因是 OpenAI 的 gpt-4o 等视觉模型识别图片时，OpenAI 会尝试在他们的服务器中下载这个图片链接，因此这个链接必须是公开可访问的，如果是私有的链接，OpenAI 将无法访问到这个图片，进而无法正常识别到图片内容。

diff --git a/src/config/file.ts b/src/config/file.ts
@@ -18,6 +18,7 @@ export const getFileConfig = () => {
       S3_ENDPOINT: process.env.S3_ENDPOINT,
       S3_REGION: process.env.S3_REGION,
       S3_SECRET_ACCESS_KEY: process.env.S3_SECRET_ACCESS_KEY,
+      S3_SET_ACL: process.env.S3_SET_ACL !== '0',
     },
     server: {
       // S3
@@ -27,6 +28,7 @@ export const getFileConfig = () => {
 
       S3_REGION: z.string().optional(),
       S3_SECRET_ACCESS_KEY: z.string().optional(),
+      S3_SET_ACL: z.boolean(),
     },
   });
 };

diff --git a/src/server/modules/S3/index.ts b/src/server/modules/S3/index.ts
@@ -26,11 +26,14 @@ export class S3 {
 
   private readonly bucket: string;
 
+  private readonly setAcl: boolean;
+
   constructor() {
     if (!fileEnv.S3_ACCESS_KEY_ID || !fileEnv.S3_SECRET_ACCESS_KEY || !fileEnv.S3_BUCKET)
       throw new Error('S3 environment variables are not set completely, please check your env');
 
     this.bucket = fileEnv.S3_BUCKET;
+    this.setAcl = fileEnv.S3_SET_ACL;
 
     this.client = new S3Client({
       credentials: {
@@ -68,7 +71,7 @@ export class S3 {
 
   public async createPreSignedUrl(key: string): Promise<string> {
     const command = new PutObjectCommand({
-      ACL: 'public-read',
+      ACL: this.setAcl ? 'public-read' : undefined,
       Bucket: this.bucket,
       Key: key,
     });