feat: allow upload signed url to overwrite files

src/auth/jwt.ts

@@ -24,6 +24,7 @@ export type SignedToken = {
 
 export type SignedUploadToken = {
   owner: string | undefined
+  upsert: boolean
   url: string
   exp: number
 }

src/http/routes/object/getSignedUploadURL.ts

@@ -15,6 +15,15 @@ const getSignedUploadURLParamsSchema = {
   required: ['bucketName', '*'],
 } as const
 
+const getSignedUploadURLHeadersSchema = {
+  type: 'object',
+  properties: {
+    'x-upsert': { type: 'string' },
+    authorization: { type: 'string' },
+  },
+  required: ['authorization'],
+} as const
+
 const successResponseSchema = {
   type: 'object',
   properties: {
@@ -29,6 +38,7 @@ const successResponseSchema = {
 }
 interface getSignedURLRequestInterface extends AuthenticatedRequest {
   Params: FromSchema<typeof getSignedUploadURLParamsSchema>
+  Headers: FromSchema<typeof getSignedUploadURLHeadersSchema>
 }
 
 export default async function routes(fastify: FastifyInstance) {
@@ -54,7 +64,9 @@ export default async function routes(fastify: FastifyInstance) {
 
       const signedUploadURL = await request.storage
         .from(bucketName)
-        .signUploadObjectUrl(objectName, urlPath as string, uploadSignedUrlExpirationTime, owner)
+        .signUploadObjectUrl(objectName, urlPath as string, uploadSignedUrlExpirationTime, owner, {
+          upsert: request.headers['x-upsert'] === 'true',
+        })
 
       return response.status(200).send({ url: signedUploadURL })
     }

src/http/routes/object/uploadSignedObject.ts

@@ -99,6 +99,7 @@ export default async function routes(fastify: FastifyInstance) {
         .uploadNewObject(request, {
           owner,
           objectName,
+          isUpsert: payload.upsert,
         })
 
       return response.status(objectMetadata?.httpStatusCode ?? 200).send({

src/storage/object.ts

@@ -572,8 +572,15 @@ export class ObjectStorage {
    * @param url
    * @param expiresIn seconds
    * @param owner
+   * @param options
    */
-  async signUploadObjectUrl(objectName: string, url: string, expiresIn: number, owner?: string) {
+  async signUploadObjectUrl(
+    objectName: string,
+    url: string,
+    expiresIn: number,
+    owner?: string,
+    options?: { upsert?: boolean }
+  ) {
     // check as super user if the object already exists
     const found = await this.asSuperUser().findObject(objectName, 'id', {
       dontErrorOnEmpty: true,
@@ -584,19 +591,21 @@ export class ObjectStorage {
     }
 
     // check if user has INSERT permissions
-    await this.db.testPermission((db) => {
-      return db.createObject({
-        bucket_id: this.bucketId,
-        name: objectName,
-        owner,
-        metadata: {},
-      })
+    await this.uploader.canUpload({
+      bucketId: this.bucketId,
+      objectName,
+      owner,
+      isUpsert: options?.upsert ?? false,
     })
 
     const urlParts = url.split('/')
     const urlToSign = decodeURI(urlParts.splice(4).join('/'))
     const { secret: jwtSecret } = await getJwtSecret(this.db.tenantId)
-    const token = await signJWT({ owner, url: urlToSign }, jwtSecret, expiresIn)
+    const token = await signJWT(
+      { owner, url: urlToSign, upsert: Boolean(options?.upsert) },
+      jwtSecret,
+      expiresIn
+    )
 
     return `/object/upload/sign/${urlToSign}?token=${token}`
   }

src/test/object.test.ts

@@ -1544,6 +1544,73 @@ describe('testing uploading with generated signed upload URL', () => {
     expect(response.statusCode).toBe(400)
     expect(S3Backend.prototype.uploadObject).not.toHaveBeenCalled()
   })
+
+  it('will allow overwriting a file when the generating a signed upload url with x-upsert:true', async () => {
+    function createUpload() {
+      const form = new FormData()
+      form.append('file', fs.createReadStream(`./src/test/assets/sadcat.jpg`))
+      return form
+    }
+
+    const BUCKET_ID = 'bucket2'
+    const OBJECT_NAME = 'signed/sadcat-upload-signed-2.png'
+    const urlToSign = `${BUCKET_ID}/${OBJECT_NAME}`
+    const owner = '317eadce-631a-4429-a0bb-f19a7a517b4a'
+
+    // Upload a file first
+    const resp = await app().inject({
+      method: 'POST',
+      url: `/object/${urlToSign}`,
+      payload: createUpload(),
+      headers: {
+        authorization: serviceKey,
+      },
+    })
+
+    expect(resp.statusCode).toBe(200)
+
+    const jwtToken = await signJWT({ owner, url: urlToSign, upsert: true }, jwtSecret, 100)
+    const response = await app().inject({
+      method: 'PUT',
+      url: `/object/upload/sign/${urlToSign}?token=${jwtToken}`,
+      payload: createUpload(),
+    })
+    expect(response.statusCode).toBe(200)
+    expect(S3Backend.prototype.uploadObject).toHaveBeenCalled()
+  })
+
+  it('will allow not be able overwriting a file when the generating a signed upload url without x-upsert header', async () => {
+    function createUpload() {
+      const form = new FormData()
+      form.append('file', fs.createReadStream(`./src/test/assets/sadcat.jpg`))
+      return form
+    }
+
+    const BUCKET_ID = 'bucket2'
+    const OBJECT_NAME = 'signed/sadcat-upload-signed-3.png'
+    const urlToSign = `${BUCKET_ID}/${OBJECT_NAME}`
+    const owner = '317eadce-631a-4429-a0bb-f19a7a517b4a'
+
+    // Upload a file first
+    const resp = await app().inject({
+      method: 'POST',
+      url: `/object/${urlToSign}`,
+      payload: createUpload(),
+      headers: {
+        authorization: serviceKey,
+      },
+    })
+
+    expect(resp.statusCode).toBe(200)
+
+    const jwtToken = await signJWT({ owner, url: urlToSign }, jwtSecret, 100)
+    const response = await app().inject({
+      method: 'PUT',
+      url: `/object/upload/sign/${urlToSign}?token=${jwtToken}`,
+      payload: createUpload(),
+    })
+    expect(response.statusCode).toBe(400)
+  })
 })
 
 /**