Skip to content

Add method for generating signed Smart CDN URLs #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kvz merged 11 commits into from
Nov 28, 2024
Merged

Add method for generating signed Smart CDN URLs #201

kvz merged 11 commits into from
Nov 28, 2024

Conversation

@Acconut
Copy link
Contributor

@Acconut Acconut commented Nov 22, 2024

We recently added support for signed Smart CDN URLs (see https://transloadit.com/docs/topics/signature-authentication/#smart-cdn) and would like our SDKs to offer methods for generating these signed URLs.

This PR adds such a method, alongside documentation and tests.

@Acconut Acconut requested review from kvz, mifi and remcohaszing November 22, 2024 10:38
@Acconut Acconut self-assigned this Nov 22, 2024
mifi
mifi reviewed Nov 25, 2024
View reviewed changes
remcohaszing
remcohaszing requested changes Nov 25, 2024
View reviewed changes
mifi
mifi reviewed Nov 25, 2024
View reviewed changes
Acconut and others added 4 commits November 25, 2024 11:02
@Acconut @remcohaszing @mifi
Apply suggestions from code review
8311cfe 
Co-authored-by: Remco Haszing <remcohaszing@gmail.com>
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Fix implementation
900fbdc
Allow duplicate parameters
dfe9722
Improve checks
9e4c337
@Acconut
Copy link
Contributor Author

Acconut commented Nov 25, 2024

@mifi @remcohaszing Thank you for the thorough reviews! I think I incorporated all of your feedback. In particular, the urlParams type has been narrowed down and it now also allows duplicate values via array. Could you have another look at it?

@Acconut Acconut requested review from mifi and remcohaszing November 25, 2024 14:32
kvz
kvz requested changes Nov 25, 2024
View reviewed changes
Copy link
Member

@kvz kvz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As i'm implementing implementations for other languages, I find I want to compare signed URLs to see if the implementations are the same.

For this reason, and I guess, also unit testing etc, it's nice if you can pass in an expiresAtMs instead of only a relative expiresInMs. We could accept both for convenience. Or just support the absolute one.

For my testing I ended up with:

  let expireAt = Date.now() + 1 * 60 * 60 * 1000 // 1 hour
  if (opts.signProps.expireAtMs) {
    expireAt = opts.signProps.expireAtMs
  } else if (opts.signProps.expireInMs) {
    expireAt = Date.now() + opts.signProps.expireInMs
  }

WDYT?

@Acconut
Copy link
Contributor Author

Acconut commented Nov 25, 2024

For testing I simulate a faked time, so the expiration time is always fixed: https://github.com/transloadit/node-sdk/pull/201/files#diff-e22f393adc69cfde9a0b1a6d6d6e33aafe4afeb3ca83061ce296462c99d6b845R350 This works well and is also possible with minor adjustments in the Go, Python and Java SDK. I suspect it to also be possible in PHP and Ruby.

I find that this is a better approach than adding another parameter that will just be used for testing. I expect that customer prefer setting the relative expiration duration instead of an absolute expiration timestamp, since that is the value you care about when signing things.

@remcohaszing
Copy link
Member

remcohaszing commented Nov 25, 2024

I lean towards expiresAtMs over expiresInMs, but it’s a slight preference. I do think it’s best to provide one option. Providing multiple options is confusing. The user may mix them up or specify both at the same time.

Perhaps the best option is expiresAt where it accepts a Date object.

@kvz
Copy link
Member

kvz commented Nov 26, 2024

If we want to support only one param, I agree it should be expiresAt.

its possible to tamper with clocks in tests in at least a subset of languages and testing frameworks, but not always and not always trivial.

People may also want to debug their integration outside of testing frameworks.

And for instance in my case I simply wanted to compare the signature between this reference implementation and Ruby & PHP I’m writing.

Found all kinds of subtle differences thank to this being controllable.

@Acconut
Copy link
Contributor Author

Acconut commented Nov 26, 2024

Should we move all SDK PRs to use expiresAt then? As far as I know this is the only point of discussion that we need to settle before we can merge these PRs.

@kvz
Copy link
Member

kvz commented Nov 26, 2024

I agree one way is better than two, and I think passing in something absolute has its benefits. So yes, let's change it throughout.

I took care of PHP, Ruby, Python just now. I also added Node.js parity testing to the Python SDK, just in your PR Marius, so you might want to take a look and see if you agree.

@Acconut
Copy link
Contributor Author

Acconut commented Nov 28, 2024

@kvz I updated the PR to only use expiresAt. Does it look good to you now?

kvz
kvz approved these changes Nov 28, 2024
View reviewed changes
Copy link
Member

@kvz kvz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does!

@kvz kvz merged commit 166bdba into main Nov 28, 2024
8 checks passed
@kvz kvz deleted the smart-cdn-url-signature branch November 28, 2024 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kvz kvz kvz approved these changes

@mifi mifi mifi approved these changes

@remcohaszing remcohaszing remcohaszing approved these changes

Assignees

@Acconut Acconut

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Acconut @remcohaszing @kvz @mifi