dev: sign requests sent to Transloadit #3517

aduh95 · 2022-02-28T18:17:06Z

No description provided.

Murderlon

Is this really required for local dev? Probably takes more effort for other people to contribute, or is it the same? Either way, I think it might be good to write something about this in contributing.md

Murderlon · 2022-03-01T04:10:53Z

private/dev/Dashboard.js

+const enc = new TextEncoder('utf-8')
+async function sign (secret, body) {
+  const algorithm = { name: 'HMAC', hash: 'SHA-384' }
+
+  const key = await crypto.subtle.importKey('raw', enc.encode(secret), algorithm, false, ['sign', 'verify'])
+  const signature = await crypto.subtle.sign(algorithm.name, key, enc.encode(body))
+  return `sha384:${Array.from(new Uint8Array(signature), x => x.toString(16).padStart(2, '0')).join('')}`
+}
+function getExpiration (future) {
+  return new Date(Date.now() + future)
+    .toISOString()
+    .replace('T', ' ')
+    .replace(/\.\d+Z$/, '+00:00')
+}
+async function getAssemblyOptions () {
+  const hasSecret = TRANSLOADIT_SECRET != null
+  let params = {
+    auth: {
+      key: TRANSLOADIT_KEY,
+      expires: hasSecret ? getExpiration(5 * 60 * 1000) : undefined,
+    },
+    // It's more secure to use a template_id and enable
+    // Signature Authentication
+    template_id: TRANSLOADIT_TEMPLATE,
+  }
+  let signature
+  if (TRANSLOADIT_SECRET) {
+    params = JSON.stringify(params)
+    signature = await sign(TRANSLOADIT_SECRET, params)
+  }
+
+  return { params, signature }
+}


Perhaps this can be abstracted because we have other local dev setups too, like drag-drop, and presumably frameworks setups too later.

aduh95 · 2022-03-01T09:46:35Z

Probably takes more effort for other people to contribute, or is it the same?

I would say the exact same. If the user doesn't provide a TRANSLOADIT_SECRET in their .env, the requests are not signed (which is the current behavior); otherwise it's signed (which depending on their Transloadit account settings may (should?) be required).

| Package | Version | Package | Version | | ---------------------- | ------- | ---------------------- | ------- | | @uppy/aws-s3-multipart | 2.2.2 | @uppy/file-input | 2.0.6 | | @uppy/box | 1.0.6 | @uppy/form | 2.0.5 | | @uppy/companion | 3.5.1 | @uppy/locales | 2.0.9 | | @uppy/compressor | 0.2.5 | @uppy/transloadit | 2.1.5 | | @uppy/core | 2.1.9 | @uppy/utils | 4.0.7 | | @uppy/drag-drop | 2.0.7 | @uppy/vue | 0.4.7 | | @uppy/drop-target | 1.1.3 | @uppy/robodog | 2.5.4 | | @uppy/dropbox | 2.0.6 | uppy | 2.9.4 | | @uppy/facebook | 2.0.6 | | | - @uppy/locales: Plural translation in cs_CZ local (JakubHaladej / #3666) - @uppy/vue: Add license field to package.json in @uppy/vue (Tobias Trumm / #3664) - meta: Add todo comments (Murderlon) - @uppy/facebook: refactor to ESM (Antoine du Hamel / #3653) - meta: locale-pack: refactor to use more parallel processing (Antoine du Hamel / #3630) - @uppy/file-input: refactor to ESM (Antoine du Hamel / #3652) - meta: sign requests sent to Transloadit in e2e suite (Antoine du Hamel / #3656) - meta: add `VITE_TRANSLOADIT_SECRET` for e2e (Antoine du Hamel) - meta: Update BACKLOG.md (Artur Paikin) - @uppy/form: refactor to ESM (Antoine du Hamel / #3654) - @uppy/dropbox: refactor to ESM (Antoine du Hamel / #3651) - meta: sign requests sent to Transloadit in dev env (Antoine du Hamel / #3517) - @uppy/drop-target: refactor to ESM (Antoine du Hamel / #3648) - @uppy/core: fix `TypeError` when file was removed (Antoine du Hamel / #3650) - @uppy/drag-drop: refactor to ESM (Antoine du Hamel / #3647) - meta: update outdated files (Antoine du Hamel / #3646) - @uppy/compressor: Set meta on file compression (Camilo Forero / #3644) - @uppy/transloadit: improve fetch error handling (Antoine du Hamel / #3637) - @uppy/box: refactor to ESM (Antoine du Hamel / #3643) - @uppy/utils: Fix getFileType for dicom images (Merlijn Vos / #3610) - @uppy/aws-s3-multipart: Add `companionCookiesRule` type to @uppy/aws-s3-multipart (Mauricio Ribeiro / #3623)

| Package | Version | Package | Version | | ---------------------- | ------- | ---------------------- | ------- | | @uppy/aws-s3-multipart | 2.2.2 | @uppy/file-input | 2.0.6 | | @uppy/box | 1.0.6 | @uppy/form | 2.0.5 | | @uppy/companion | 3.5.1 | @uppy/locales | 2.0.9 | | @uppy/compressor | 0.2.5 | @uppy/transloadit | 2.1.5 | | @uppy/core | 2.1.9 | @uppy/utils | 4.0.7 | | @uppy/drag-drop | 2.0.7 | @uppy/vue | 0.4.7 | | @uppy/drop-target | 1.1.3 | @uppy/robodog | 2.5.4 | | @uppy/dropbox | 2.0.6 | uppy | 2.9.4 | | @uppy/facebook | 2.0.6 | | | - @uppy/locales: Plural translation in cs_CZ local (JakubHaladej / transloadit#3666) - @uppy/vue: Add license field to package.json in @uppy/vue (Tobias Trumm / transloadit#3664) - meta: Add todo comments (Murderlon) - @uppy/facebook: refactor to ESM (Antoine du Hamel / transloadit#3653) - meta: locale-pack: refactor to use more parallel processing (Antoine du Hamel / transloadit#3630) - @uppy/file-input: refactor to ESM (Antoine du Hamel / transloadit#3652) - meta: sign requests sent to Transloadit in e2e suite (Antoine du Hamel / transloadit#3656) - meta: add `VITE_TRANSLOADIT_SECRET` for e2e (Antoine du Hamel) - meta: Update BACKLOG.md (Artur Paikin) - @uppy/form: refactor to ESM (Antoine du Hamel / transloadit#3654) - @uppy/dropbox: refactor to ESM (Antoine du Hamel / transloadit#3651) - meta: sign requests sent to Transloadit in dev env (Antoine du Hamel / transloadit#3517) - @uppy/drop-target: refactor to ESM (Antoine du Hamel / transloadit#3648) - @uppy/core: fix `TypeError` when file was removed (Antoine du Hamel / transloadit#3650) - @uppy/drag-drop: refactor to ESM (Antoine du Hamel / transloadit#3647) - meta: update outdated files (Antoine du Hamel / transloadit#3646) - @uppy/compressor: Set meta on file compression (Camilo Forero / transloadit#3644) - @uppy/transloadit: improve fetch error handling (Antoine du Hamel / transloadit#3637) - @uppy/box: refactor to ESM (Antoine du Hamel / transloadit#3643) - @uppy/utils: Fix getFileType for dicom images (Merlijn Vos / transloadit#3610) - @uppy/aws-s3-multipart: Add `companionCookiesRule` type to @uppy/aws-s3-multipart (Mauricio Ribeiro / transloadit#3623)

Murderlon reviewed Mar 1, 2022

View reviewed changes

aduh95 added 2 commits April 21, 2022 15:43

dev: sign requests sent to Transloadit

1d69802

Address review comments

3201587

aduh95 marked this pull request as ready for review April 21, 2022 14:02

aduh95 force-pushed the hmac-signature-for-dev branch from d1e23f2 to 3201587 Compare April 21, 2022 14:02

aduh95 requested a review from Murderlon April 21, 2022 14:03

github-actions bot added the pending end-to-end tests label Apr 21, 2022

aduh95 removed the pending end-to-end tests label Apr 21, 2022

Murderlon approved these changes Apr 21, 2022

View reviewed changes

aduh95 merged commit a77b039 into transloadit:main Apr 21, 2022

aduh95 deleted the hmac-signature-for-dev branch April 21, 2022 14:08

github-actions bot mentioned this pull request Apr 27, 2022

Release: uppy@2.9.4 #3667

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dev: sign requests sent to Transloadit #3517

dev: sign requests sent to Transloadit #3517

aduh95 commented Feb 28, 2022

Murderlon left a comment

Murderlon Mar 1, 2022

aduh95 commented Mar 1, 2022

dev: sign requests sent to Transloadit #3517

dev: sign requests sent to Transloadit #3517

Conversation

aduh95 commented Feb 28, 2022

Murderlon left a comment

Choose a reason for hiding this comment

Murderlon Mar 1, 2022

Choose a reason for hiding this comment

aduh95 commented Mar 1, 2022