storage/file#getSignedUrl example for uploading to signed URL fails

[aknuds1]

I cannot upload to signed URLs generated by storage/file#getSignedUrl. I've even tried implementing the official example from the documentation and it fails:

let bucket = gcs.bucket('aBucket')
let cloudFile = bucket.file('aFile')
cloudFile.getSignedUrl({
  action: 'write',
  expires: `03-17-2025`,
}, (error, signedUrl) => {
  if (error == null) {
    // The file is now available to be written to.
    let request = require('request')
    var writeStream = request.post(signedUrl);
    writeStream.end('New data');
    writeStream.on('complete', function(resp) {
      if (resp.statusCode !== 200) {
        console.log('Writing to file failed:', resp.statusCode)
      } else {
        // Confirm the new content was saved.
        cloudFile.download(function(err, fileContents) {
          if (err != null) {
            console.log(`Download failed:`, err.message)
          } else {
            console.log('Contents:', fileContents.toString());
          }
        });
      }
    });
  }
})

The status code from POSTing to the file is 400, with the message <?xml version='1.0' encoding='UTF-8'?><Error><Code>InvalidPolicyDocument</Code><Message>The content of the form does not meet the conditions specified in the policy document.</Message><Details>Missing policy</Details></Error>%.

[stephenplusplus]

Bug caught, PR sent: #1313! When action is write, we generate a signed url expecting a PUT request.

Note: The HTTP verb POST is not supported in signed URL strings, except as noted above. You can use POST to define signed policy documents, which specify the characteristics of objects that can be uploaded to a bucket. Learn more in the POST Object documentation

• https://cloud.google.com/storage/docs/access-control/signed-urls

[aknuds1]

Thanks @stephenplusplus! PUT doesn't quite work for me either, although it fails in a different way. If I try curl -X put -d "{}" $SIGNED_URL it fails like this:

<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Anonymous callers do not have storage.objects.create access to bucket arve.muzhack.com.</Details></Error>

If I try to PUT via XMLHttpRequest, it fails differently:

let request = new XMLHttpRequest()
request.onreadystatechange = () => {
  if (request.readyState === XMLHttpRequest.DONE) {
    if (request.status === 200) {
      console.log('Uploaded successfully')
    } else {
      console.log(`Upload was not successful: ${request.status}`)
    }
  }
}

request.open('PUT', signedUrl, true)
request.send(file)

Resulting in the following response:

<?xml version='1.0' encoding='UTF-8'?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message><StringToSign>PUT

image/png
1463260982
/arve.muzhack.com/u%2Faknudsen%2Ftest%2Fpictures%2FIMG_20160511_132145.jpg</StringToSign></Error>

It would be great if you could help me figure out what goes wrong here.

[aknuds1]

I figured out that the reason that XMLHttpRequest fails is that it sends a content-type header, f.ex. image/png, which the call to getSignedUrl fails to match by default. I worked around it by sending a fixed value for content-type, which I also configured getSignedUrl with.

[aknuds1]

@stephenplusplus I have another question though. How do I ensure that a file created through uploading via a signed URL is publicly readable? See my Stack Overflow question on this.

[stephenplusplus]

I believe you can use the extension headers option: https://googlecloudplatform.github.io/gcloud-node/#/docs/v0.33.0/storage%2Ffile?method=getSignedUrl

See https://cloud.google.com/storage/docs/access-control/signed-urls#about-canonical-extension-headers looks like maybe "x-goog-acl: public"

[aknuds1]

@stephenplusplus How do I set extensionHeaders properly? I've tried, but the signature verification fails.

[aknuds1]

@stephenplusplus I think there is a bug when supplying extensionHeaders actually. You have to add a newline at the end for it to work, due to the implementation of getSignedUrl:

var sign = crypto.createSign('RSA-SHA256');
sign.update([
  options.action,
  (options.contentMd5 || ''),
  (options.contentType || ''),
  expiresInSeconds,
  (options.extensionHeaders || '') + options.resource
].join('\n'));
var signature = sign.sign(credentials.private_key, 'base64');

You'll see that options.extensionHeaders is prepended to options.resource. I don't see any good reason for this, and it means in practice a newline has to be appended to extensionHeaders in order to match the incoming request.

[aknuds1]

@stephenplusplus I created an issue on the matter, with accompanying PR.