Currently, the generatePreSignedURL cloud function allows to generate a pre-signed URL for any bucket/object combination.
Buckets are used to store ceremonies data only, and are named:
ceremony prefix-ceremony postifx e.g. maci-ceremony-small-mpc-dev
A possible solution could be to use the bucket name (passed in as parameter to the cloud function) to retrieve the ceremony prefix (this requires the postfix to be added in the .env of the backend package). With the ceremony prefix we can query the ceremonies collection to see if any ceremony is in the db with this prefix. If there is a match, then we generate the pre-signed URL. No checks on the object key is done as any object stored inside the bucket should not be sensitive (circuits data, zkeys, etc.).
This prevents users to get pre-signed URLs for any bucket/object combination within the coordinator AWS account, if any.
Currently, the
generatePreSignedURLcloud function allows to generate a pre-signed URL for any bucket/object combination.Buckets are used to store ceremonies data only, and are named:
ceremony prefix-ceremony postifxe.g. maci-ceremony-small-mpc-devA possible solution could be to use the bucket name (passed in as parameter to the cloud function) to retrieve the ceremony prefix (this requires the postfix to be added in the .env of the backend package). With the ceremony prefix we can query the ceremonies collection to see if any ceremony is in the db with this prefix. If there is a match, then we generate the pre-signed URL. No checks on the object key is done as any object stored inside the bucket should not be sensitive (circuits data, zkeys, etc.).
This prevents users to get pre-signed URLs for any bucket/object combination within the coordinator AWS account, if any.