weyert
commented
2 years ago I like this idea! Sounds like a good idea to limit the need for create bucket permissions. Currently, the idea is that the server will make the bucket if it does not exist. I can imagine that this gets problematic quickly.
Regarding the hashing, it's a bit of hack I am generating a simple hash of the team id/slug that's passed from the Turbo CLI to avoid any potential not allowed characters.
Currently, server requires a separate bucket for each team, this makes team setup harder as someone or something needs to setup this bucket separately. Even is this functionality is added to the server, then server would need to have full admin permissions to manage buckets, which could be a risk if there is anything else hosted on the same cloud account.
To make setup easier and more secure, I would propose to just use folders in the same bucket instead, for example:
turbo-cache-bucket team_A asset1 asset2 team_B asset1 asset2 ...
Of course team names and asset names should be still hashed.
By using this approach, turbo cache server just needs permissions to manage content in one bucket and it is very easy to implement adding a new team. For adding a new team, server would just validate token and if it's correct, it would just accept any team name - any valid token works for any team. Later on if needed tokens could be improved to be issues and validated per team.
What do you think?