search

cloudinary / cloudinary_gem

Cloudinary GEM for Ruby on Rails integration
https://cloudinary.com
420 stars 285 forks source link

Access token url generation returns 404 #530

Closed arinhouck closed 8 months ago

arinhouck commented 8 months ago

Bug report for Cloudinary Ruby SDK

Describe the bug in a sentence or two.

When generating an token based authenticated url, it returns 404 (I did not apply type = authenticated, see below why)

blob.url(sign_url: true, auth_token: { key: "NewKey", duration: 300 })

Issue Type (Can be multiple)

Steps to reproduce

  1. Create an active record blob and build a custom direct upload url like so:

NOTE: Unable to set or use type = authenticated so used access_mode = authenticated as an alternative

object = ActiveStorage::Blob instance
object.service.url_for_direct_upload(
        object.key,
        expires_in: ActiveStorage.service_urls_expire_in,
        content_type: object.content_type,
        content_length: object.byte_size,
        checksum: object.checksum,
        access_mode: 'authenticated',
        access_control: [
          {
            access_type: 'anonymous'
          },
          {
            access_type: 'token'
          }
        ]
      )

PUT url from above with binary body = file, response 200, returns secure url as signed (works as expected there)

  1. Requesting a token url with expiration returns 404 when clicking the link.
blob.url(sign_url: true, auth_token: { key: "NewKey", duration: 300 })

^ Generated the auth token url (why is it a 404?) https://deb7dco1z-res.cloudinary.com/image/upload/v1/development/media/9afac870-22a0-4aa3-a331-f4a81a4ceb8e/d5a90fbf7e79b3ede2f7e747547f9e87.JPG?__cld_token__=exp=1702493689~hmac=7fb91d9535dba71d1916c31d060e28a776f5f274c0d1e6183b69ba3365a09ee6

blob.url(sign_url: true)

^ Generated secure pre-signed url which works great. https://deb7dco1z-res.cloudinary.com/image/upload/s--o4k-eXm8--/v1/development/media/9afac870-22a0-4aa3-a331-f4a81a4ceb8e/d5a90fbf7e79b3ede2f7e747547f9e87.JPG

Error screenshots or Stack Trace (if applicable)

Operating System

Environment and Libraries (fill in the version numbers)

Repository

If possible, please provide a link to a reproducible repository that showcases the problem

wissam-khalili commented 8 months ago

Hi @arinhouck,

From your description, you would like to use the Token-base authentication. It was already enabled in your account. Could you let me know if you are using the key that we have provided you? You can find it under your settings -> upload preset: https://console.cloudinary.com/settings/c-545ff7720fb796b0a0038a8e5a6ce6/upload The key is the name of the preset that starts with f569....

You can find multiple examples in our documentation: https://cloudinary.com/documentation/control_access_to_media#token_based_authentication_premium_feature

In addition, your upload sets the asset with access_mode and access_control (which shouldn’t be used together), and also access control [{"access_type": "anonymous"},{"access_type": "token"}] doesn’t make sense unless you set start/end times. Otherwise, it’ll take a stricter setting (i.e. restricted/token).

Here is another article on the different options for authenticated users: https://support.cloudinary.com/hc/en-us/articles/202519742-Can-I-allow-access-to-uploaded-images-only-to-authenticated-users-

I hope it makes sense.

Please let me know if you have additional questions. Regards, Wissam

arinhouck commented 8 months ago

Perfect, that works thank you. @wissam-khalili

I'd say some clearer instructions on where or how this token can be created would be helpful. Documentation only states it must be created but doesn't explicitly state how or where you create the token.

Also I think it would be best we remove any identifiable information to this account from your comment. Thanks again!