Setting up CORS for buckets

Hi all

thank you for your support to this gem. am asking in the hopes that some of you may know a quick answer, by virtue of experience. If not, I will continue to dig in the documentation. (Am happy to make PRs to the documentation of that would help).

I am trying to understand how to set up a bucket for CORS. The example used in the documentation is for Amazon S3 bucket, but I would like to use a Google bucket instead, so I’m guessing I have to tweak the following to suit Google?

Settting up CORS for Amazon S3 bucket:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <CORSRule>
    <AllowedOrigin>https://my-app.com</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>Authorization</AllowedHeader>
    <AllowedHeader>x-amz-date</AllowedHeader>  <------- What is this?
    <AllowedHeader>x-amz-content-sha256</AllowedHeader>  <--- What is this?
    <AllowedHeader>content-type</AllowedHeader>
    <ExposeHeader>ETag</ExposeHeader>
  </CORSRule>
  <CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
  </CORSRule>
</CORSConfiguration>

Here’s how I understand it (please do correct me here if i’m wrong):

  1. The user drags a file onto the form field. A presigned request is made. If successful then:
  2. The uppy sends directly to the bucket, the file, via a put request (or is it a post request?) + and adds in various header information, which includes: x-amz-date?
  3. The bucket receives the put/post and sends back some type of confirmation.
  4. Uppy receives the confirmation and tells the user that the file has been uploaded.

My questions, in short:

  • Am trying to work out what the significance of the x-amz-date and x-amz-content-sha256 headers are, and how it works in the context of an Uppy / Direct bucket upload?
  • Will I have to configure Uppy to send the equivalent Google headers, and what happens if the headers are not there?

Thank you once again for your support.

rgds
Ben

Hi Ben

Good questions.

The CORS XML configuration example above was based on AWS S3 CORS documentation.

If I remember correctly, the x-amz-date and x-amz-content was part of the AWS signature requirements to sign the requests.

Google Cloud Storage may have a similar system but done differently from AWS. I’m not sure as I’ve never used it but I would refer to their documentation to see how to setup the equivalent of CORS and how to sign requests if they require that.

Hope this helps.
Hiren

Hi Hiren

thank you for your response.

I"m not quite understanding the workflow:

Take for example this value: x-amz-content-sha256:

  • Will it be calculated by the presign_url method of the shrine uploader? Or will it be calculated by uppy?
  • Finally, will such a value be sent to the relevant bucket?

Any pointers would be much appreciated.

regards

Ben

Hi Ben

x-amz-content-sha256 will be calculated by Uppy (or a client) and not Shrine. It is a required for all requests to AWS using AWS signature v4 and is basically a hash of the request payload (See https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html).

A lot of the x-amz* stuff has to do with creating a request for AWS, creating headers/signatures for authorization, and less about Shrine and file uploads.

The flow you mentioned in the OP is correct. Uppy creates a PUT request because that is what AWS requires. (You’re probably thinking POST based on the REST convention but it’s PUT). You are missing one step after Uppy receives the confirmation and that is a request is sent to your Rails app to store the file info in the database (steps 4-6 in the example doc)

Regards,
Hiren

Thank you for the clarification. much appreciated.