generate_signed_url does not work for virtual_hosted_style=True #1031
Comments
product-auto-label
bot
added
the
api: storage
cojenco
added
type: feature request
frankyn
added
priority: p2
|
Hi @whs, To clarify, the sample is using V2 and virtual_hosted_style with Cloud Storage recommends using V4 over V2 as well. Here's a sample: from google.cloud import storage
import datetime
storage = storage.Client()
bucket = storage.bucket("bucket-name")
blob = bucket.get_blob("object-name")
print(blob.generate_signed_url(
version="v4",
# This URL is valid for 15 minutes
expiration=datetime.timedelta(minutes=15),
# Allow GET requests using this URL.
method="GET",
virtual_hosted_style=True,
)) |
|
The v4 signature doesn't work in my use case. I serve cacheable contents to end users. Presigned URL is used as anti-hotlinking mechanism. In v4 URL scheme the X-Goog-Date is a required field, and |
|
@whs could you share an example of what you're doing? I've never come across this use case and sounds interesting. |
|
Sure, here's the website - https://tipme.in.th/fumihausu . Both the background and the top banner are user-customizable, and use presign URL in the way I mentioned. As for why virtual host style is required - the site has a content security policy (CSP). I'd prefer not to add domains that mix UGC from other customers, so I can't add storage.googleapis.com to the CSP directly. There's another use case not on the unauthenticated side - customer can also upload images/audio files to the file manager for using in a live streaming application (eg. OBS) which embed a webpage hosted on us that link to user-supplied input. For example, we provide a "donation alert" webview that user can customize with images or audio. We'd want to cache the uploaded content to make sure they show up on the live stream without buffering, so having deterministic URL. If I make the UGC public, then the user can use the file manager as an image upload host which we want to prevent. |
|
Thanks for the context, I'm still confused by:
Oh, do you mean, v2 allows expiration from epoch you can set that time (once) and your caching will handle incoming requests whereas v4 generates a new URL each time because it uses current time for X-Goog-Date which then creates a new URL? How often do you refresh the expiration? |
|
In v2 the only time field is expire field. If you inspect our URL you'll see that it is something like As GCS supplies Etag and Last-modified to web browsers, the browser will call to the same URL with If-Modified-Since & If-None-Match which matches and return 304. This remove the download time of the content. In v4, I'm required to add X-Goog-Date. I could do the same thing here rounding down X-Goog-Date but there's no API to set it (I read the source and it seems that explicitly setting X-Goog-Date, even internally is only intended to be used for automated testing) |
|
I believe I also ran into this today but I was using |
|
I believe I'll update the documentation for these options. |
|
Identified where the limitations lie within v2 signing and have a proposed fix. Discussed offline with the team - as we have signed url work planned for the quarter, we're moving this to be a part of that project altogether |
cojenco
added
priority: p3
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Please run down the following list and make sure you've tried the usual "quick fixes":
If you are still having issues, please be sure to include as much information as possible:
Environment details
pip 21.3.1google-cloud-storageversion: 2.3.0Steps to reproduce
blob.generate_signed_url(..., virtual_hosted_style=True)Code example
Stack trace
I believe this is due to that the generated URL is https://bucket.storage.googleapis.com/object so it signs
/objectinstead of/bucket/objectWorkaround
The text was updated successfully, but these errors were encountered: