uppy/examples/aws-nodejs/index.js
Prakash 3529f97899
fix signature mismatch in @uppy/aws-s3 (#6165)
shouldUseMultipart: true was not working due to signature mismatch

AI summary :

This pull request improves support for specifying the `contentType`
during S3 uploads, ensuring that the correct content type is set when
generating presigned URLs for both single and multipart uploads. It also
updates the client-side and server-side code to handle this new
parameter.

**Backend and API enhancements:**
- Updated the `/s3/presign` endpoint in `index.js` to accept an optional
`contentType` parameter and to include it in the S3 `PutObjectCommand`
and `CreateMultipartUploadCommand` requests, defaulting to
`'application/octet-stream'` if not provided.
[[1]](diffhunk://#diff-0c4471088c62917198e1438777b4c7e78fd4d87d450d2a7c78b86b7c647ac97bL360-R360)
[[2]](diffhunk://#diff-0c4471088c62917198e1438777b4c7e78fd4d87d450d2a7c78b86b7c647ac97bR384-R391)

**Client-side and types improvements:**
- Added `contentType` to the `presignableRequest` type to ensure type
safety and clarity when passing this parameter.
- Modified the S3 client (`S3.ts`) to include `contentType` when making
presign requests.
- Updated the example HTML (`rewrite-test.html`) to send `contentType`
in presign requests and enabled multipart uploads for testing.
[[1]](diffhunk://#diff-ca9bc28a71d2d8ac4e0aa6844698f2244594a12e695fc3e153db36674ccb2b52L103-R103)
[[2]](diffhunk://#diff-ca9bc28a71d2d8ac4e0aa6844698f2244594a12e695fc3e153db36674ccb2b52R114)
2026-06-17 13:54:47 +05:30

503 lines
14 KiB
JavaScript

const path = require('node:path')
const crypto = require('node:crypto')
const { existsSync } = require('node:fs')
require('dotenv').config({ path: path.join(__dirname, '..', '..', '.env') })
const express = require('express')
const app = express()
const port = process.env.PORT ?? 8080
const accessControlAllowOrigin = '*' // You should define the actual domain(s) that are allowed to make requests.
const bodyParser = require('body-parser')
const {
S3Client,
AbortMultipartUploadCommand,
CompleteMultipartUploadCommand,
CreateMultipartUploadCommand,
ListPartsCommand,
PutObjectCommand,
UploadPartCommand,
} = require('@aws-sdk/client-s3')
const { getSignedUrl } = require('@aws-sdk/s3-request-presigner')
const { STSClient, GetFederationTokenCommand } = require('@aws-sdk/client-sts')
const policy = {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['s3:PutObject'],
Resource: [
`arn:aws:s3:::${process.env.COMPANION_AWS_BUCKET}/*`,
`arn:aws:s3:::${process.env.COMPANION_AWS_BUCKET}`,
],
},
],
}
/**
* @type {S3Client}
*/
let s3Client
/**
* @type {STSClient}
*/
let stsClient
const expiresIn = 900 // Define how long until a S3 signature expires.
function getS3Client() {
s3Client ??= new S3Client({
region: process.env.COMPANION_AWS_REGION,
credentials: {
accessKeyId: process.env.COMPANION_AWS_KEY,
secretAccessKey: process.env.COMPANION_AWS_SECRET,
},
forcePathStyle: process.env.COMPANION_AWS_FORCE_PATH_STYLE === 'true',
})
return s3Client
}
function getSTSClient() {
stsClient ??= new STSClient({
region: process.env.COMPANION_AWS_REGION,
credentials: {
accessKeyId: process.env.COMPANION_AWS_KEY,
secretAccessKey: process.env.COMPANION_AWS_SECRET,
},
})
return stsClient
}
// Generate a unique S3 key for the file
const generateS3Key = (filename) => `${crypto.randomUUID()}-${filename}`
// Extract the file parameters from the request
const extractFileParameters = (req) => {
const isPostRequest = req.method === 'POST'
const params = isPostRequest ? req.body : req.query
return {
filename: params.filename,
contentType: params.type,
}
}
// Validate the file parameters
const validateFileParameters = (filename, contentType) => {
if (!filename || !contentType) {
throw new Error(
'Missing required parameters: filename and content type are required',
)
}
}
app.use(bodyParser.urlencoded({ extended: true }), bodyParser.json())
app.get('/s3/sts', (req, res, next) => {
// Before giving the STS token to the client, you should first check is they
// are authorized to perform that operation, and if the request is legit.
// For the sake of simplification, we skip that check in this example.
getSTSClient()
.send(
new GetFederationTokenCommand({
Name: '123user',
// The duration, in seconds, of the role session. The value specified
// can range from 900 seconds (15 minutes) up to the maximum session
// duration set for the role.
DurationSeconds: expiresIn,
Policy: JSON.stringify(policy),
}),
)
.then((response) => {
// Test creating multipart upload from the server — it works
// createMultipartUploadYo(response)
res.setHeader('Access-Control-Allow-Origin', accessControlAllowOrigin)
res.setHeader('Cache-Control', `public,max-age=${expiresIn}`)
res.json({
credentials: response.Credentials,
bucket: process.env.COMPANION_AWS_BUCKET,
region: process.env.COMPANION_AWS_REGION,
})
}, next)
})
const signOnServer = (req, res, next) => {
// Before giving the signature to the user, you should first check is they
// are authorized to perform that operation, and if the request is legit.
// For the sake of simplification, we skip that check in this example.
const { filename, contentType } = extractFileParameters(req)
validateFileParameters(filename, contentType)
// Generate S3 key and prepare command
const Key = generateS3Key(filename)
getSignedUrl(
getS3Client(),
new PutObjectCommand({
Bucket: process.env.COMPANION_AWS_BUCKET,
Key,
ContentType: contentType,
}),
{ expiresIn },
).then((url) => {
res.setHeader('Access-Control-Allow-Origin', accessControlAllowOrigin)
res.json({
url,
method: 'PUT',
})
res.end()
}, next)
}
app.get('/s3/params', signOnServer)
app.post('/s3/sign', signOnServer)
// === <S3 Multipart> ===
// You can remove those endpoints if you only want to support the non-multipart uploads.
app.post('/s3/multipart', (req, res, next) => {
const client = getS3Client()
const { type, metadata, filename } = req.body
if (typeof filename !== 'string') {
return res
.status(400)
.json({ error: 's3: content filename must be a string' })
}
if (typeof type !== 'string') {
return res.status(400).json({ error: 's3: content type must be a string' })
}
const Key = `${crypto.randomUUID()}-${filename}`
const params = {
Bucket: process.env.COMPANION_AWS_BUCKET,
Key,
ContentType: type,
Metadata: metadata,
}
const command = new CreateMultipartUploadCommand(params)
return client.send(command, (err, data) => {
if (err) {
next(err)
return
}
res.setHeader('Access-Control-Allow-Origin', accessControlAllowOrigin)
res.json({
key: data.Key,
uploadId: data.UploadId,
})
})
})
function validatePartNumber(partNumber) {
partNumber = Number(partNumber)
return Number.isInteger(partNumber) && partNumber >= 1 && partNumber <= 10_000
}
app.get('/s3/multipart/:uploadId/:partNumber', (req, res, next) => {
const { uploadId, partNumber } = req.params
const { key } = req.query
if (!validatePartNumber(partNumber)) {
return res.status(400).json({
error: 's3: the part number must be an integer between 1 and 10000.',
})
}
if (typeof key !== 'string') {
return res.status(400).json({
error:
's3: the object key must be passed as a query parameter. For example: "?key=abc.jpg"',
})
}
return getSignedUrl(
getS3Client(),
new UploadPartCommand({
Bucket: process.env.COMPANION_AWS_BUCKET,
Key: key,
UploadId: uploadId,
PartNumber: partNumber,
Body: '',
}),
{ expiresIn },
).then((url) => {
res.setHeader('Access-Control-Allow-Origin', accessControlAllowOrigin)
res.json({ url, expires: expiresIn })
}, next)
})
app.get('/s3/multipart/:uploadId', (req, res, next) => {
const client = getS3Client()
const { uploadId } = req.params
const { key } = req.query
if (typeof key !== 'string') {
res.status(400).json({
error:
's3: the object key must be passed as a query parameter. For example: "?key=abc.jpg"',
})
return
}
const parts = []
function listPartsPage(startsAt = undefined) {
client.send(
new ListPartsCommand({
Bucket: process.env.COMPANION_AWS_BUCKET,
Key: key,
UploadId: uploadId,
PartNumberMarker: startsAt,
}),
(err, data) => {
if (err) {
next(err)
return
}
parts.push(...data.Parts)
// continue to get list of all uploaded parts until the IsTruncated flag is false
if (data.IsTruncated) {
listPartsPage(data.NextPartNumberMarker)
} else {
res.json(parts)
}
},
)
}
listPartsPage()
})
function isValidPart(part) {
return (
part &&
typeof part === 'object' &&
Number(part.PartNumber) &&
typeof part.ETag === 'string'
)
}
app.post('/s3/multipart/:uploadId/complete', (req, res, next) => {
const client = getS3Client()
const { uploadId } = req.params
const { key } = req.query
const { parts } = req.body
if (typeof key !== 'string') {
return res.status(400).json({
error:
's3: the object key must be passed as a query parameter. For example: "?key=abc.jpg"',
})
}
if (!Array.isArray(parts) || !parts.every(isValidPart)) {
return res.status(400).json({
error: 's3: `parts` must be an array of {ETag, PartNumber} objects.',
})
}
return client.send(
new CompleteMultipartUploadCommand({
Bucket: process.env.COMPANION_AWS_BUCKET,
Key: key,
UploadId: uploadId,
MultipartUpload: {
Parts: parts,
},
}),
(err, data) => {
if (err) {
next(err)
return
}
res.setHeader('Access-Control-Allow-Origin', accessControlAllowOrigin)
res.json({
location: data.Location,
})
},
)
})
app.delete('/s3/multipart/:uploadId', (req, res, next) => {
const client = getS3Client()
const { uploadId } = req.params
const { key } = req.query
if (typeof key !== 'string') {
return res.status(400).json({
error:
's3: the object key must be passed as a query parameter. For example: "?key=abc.jpg"',
})
}
return client.send(
new AbortMultipartUploadCommand({
Bucket: process.env.COMPANION_AWS_BUCKET,
Key: key,
UploadId: uploadId,
}),
(err) => {
if (err) {
next(err)
return
}
res.json({})
},
)
})
// === </S3 MULTIPART> ===
// === <S3 Pre-signed URL Endpoint for Plugin Rewrite v3> ===
// This endpoint returns pre-signed URLs for S3 operations
// Used by the rewritten @uppy/aws-s3 plugin with signRequest option
app.post('/s3/presign', async (req, res, next) => {
try {
const { method, key, uploadId, partNumber, contentType } = req.body
const client = getS3Client()
if (!method || !key) {
return res.status(400).json({ error: 'method and key are required' })
}
const bucket = process.env.COMPANION_AWS_BUCKET
let command
// Determine which command to use based on method and params
if (method === 'PUT' && uploadId && partNumber) {
// UploadPart
command = new UploadPartCommand({
Bucket: bucket,
Key: key,
UploadId: uploadId,
PartNumber: parseInt(partNumber, 10),
})
} else if (method === 'PUT') {
// PutObject (simple upload)
command = new PutObjectCommand({
Bucket: bucket,
Key: key,
ContentType: contentType || 'application/octet-stream',
})
} else if (method === 'POST' && !uploadId) {
// CreateMultipartUpload
command = new CreateMultipartUploadCommand({
Bucket: bucket,
Key: key,
ContentType: contentType || 'application/octet-stream',
})
} else if (method === 'POST' && uploadId) {
// CompleteMultipartUpload
command = new CompleteMultipartUploadCommand({
Bucket: bucket,
Key: key,
UploadId: uploadId,
// Note: parts are sent in the request body, not in the presigned URL
})
} else if (method === 'DELETE' && uploadId) {
// AbortMultipartUpload
command = new AbortMultipartUploadCommand({
Bucket: bucket,
Key: key,
UploadId: uploadId,
})
} else if (method === 'GET' && uploadId) {
// ListParts
command = new ListPartsCommand({
Bucket: bucket,
Key: key,
UploadId: uploadId,
})
} else {
return res.status(400).json({ error: 'Unsupported operation' })
}
const url = await getSignedUrl(client, command, { expiresIn: 900 })
res.setHeader('Access-Control-Allow-Origin', accessControlAllowOrigin)
res.json({ url })
} catch (err) {
next(err)
}
})
// === </S3 Pre-signed URL Endpoint for Plugin Rewrite v3> ===
// === <some plumbing to make the example work> ===
app.get('/', (req, res) => {
res.setHeader('Content-Type', 'text/html')
const htmlPath = path.join(__dirname, 'public', 'index.html')
res.sendFile(htmlPath)
})
app.get('/index.html', (req, res) => {
res.setHeader('Location', '/').sendStatus(308).end()
})
app.get('/withCustomEndpoints.html', (req, res) => {
res.setHeader('Content-Type', 'text/html')
const htmlPath = path.join(__dirname, 'public', 'withCustomEndpoints.html')
res.sendFile(htmlPath)
})
app.get('/rewrite-test.html', (req, res) => {
res.setHeader('Content-Type', 'text/html')
// Inject bucket config as JS variables
const config = `<script>
window.UPPY_S3_BUCKET = "${process.env.COMPANION_AWS_BUCKET}";
window.UPPY_S3_REGION = "${process.env.COMPANION_AWS_REGION}";
</script>`
const htmlPath = path.join(__dirname, 'public', 'rewrite-test.html')
require('node:fs').readFile(htmlPath, 'utf8', (err, html) => {
if (err) return res.status(500).send('Error loading page')
// Inject config before </head>
const modifiedHtml = html.replace('</head>', `${config}</head>`)
res.send(modifiedHtml)
})
})
app.get('/uppy.min.mjs', (req, res) => {
res.setHeader('Content-Type', 'text/javascript')
const bundlePath = path.join(
__dirname,
'../..',
'packages/uppy/dist',
'uppy.min.mjs',
)
if (existsSync(bundlePath)) {
res.sendFile(bundlePath)
} else {
console.warn(
'No local JS bundle found, using the CDN as a fallback. Run `corepack yarn build` to make this warning disappear.',
)
res.end(
'export * from "https://releases.transloadit.com/uppy/v4.0.0-beta.11/uppy.min.mjs";\n',
)
}
})
app.get('/uppy.min.css', (req, res) => {
res.setHeader('Content-Type', 'text/css')
const bundlePath = path.join(
__dirname,
'../..',
'packages/uppy/dist',
'uppy.min.css',
)
if (existsSync(bundlePath)) {
res.sendFile(bundlePath)
} else {
console.warn(
'No local CSS bundle found, using the CDN as a fallback. Run `corepack yarn build` to make this warning disappear.',
)
res.end(
'@import "https://releases.transloadit.com/uppy/v4.0.0-beta.11/uppy.min.css";\n',
)
}
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}.`)
console.log(`Visit http://localhost:${port}/ on your browser to try it.`)
})