strapi-community / strapi-provider-upload-google-cloud-storage

Google Cloud Storage Upload Provider for Strapi
MIT License
211 stars 94 forks source link

HTTP 403 when accessing an object in the bucket with public access prevention #175

Open manoharramarao opened 1 year ago

manoharramarao commented 1 year ago

Describe the bug If Google Cloud Storage bucket has prevent public access turned on, then it is able to upload the file but can't download the file or view the file with thumbnail inside strapi admin panel.

To Reproduce Steps to reproduce the behavior:

  1. Create a bucket in Google cloud storage
  2. Navigate to buckets > in Google cloud console
  3. Click on permissions
  4. Click on Prevent Public Access
  5. In strapi admin panel, Go to media library and try adding new asset.
  6. File gets uploaded but thumbnail will not be shown

Expected behavior Thumbnail needs to be shown and on click on the edit button > click on download buttong, it should allow to download file

Screenshots

image

image

chereranull commented 1 year ago

Id had the same error. You need to update security middleware. You're blocked by csp.

image

Fryuni commented 1 year ago

The result of getSignedUrl is being appended with updatedAt=<current time> to form the thumbnail URL on the list page. This makes the request fail with mismatching signatures.

When you click on any such image, the thumbnail shown on the "details" modal has the same URL but without the updatedAt so the image loads fine.

It is unclear to me whether the updatedAt parameter is added by this plugin or by Strapi itself. If it is indeed this plugin's responsibility, then this problem can be fixed by clearing the cache of the stored signed URL whenever the image is updated or by including the update time in the signed blob.

If this is done at a layer above this plugin, on Strapi itself, then this problem is more tricky.

Fryuni commented 1 year ago

Indeed this is a problem on Strapi itself