fix: accept forwarded header on signature, increase migrations timeou…

…t, disable host validation on queue (#449)
supabase · Apr 13, 2024 · 577784c · 577784c
1 parent 6af2407
commit 577784c
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 1 deletion.
diff --git a/src/config.ts b/src/config.ts
@@ -98,6 +98,7 @@ type StorageConfigType = {
   tusUseFileVersionSeparator: boolean
   defaultMetricsEnabled: boolean
   s3ProtocolPrefix: string
+  s3ProtocolAllowForwardedHeader: boolean
   s3ProtocolEnforceRegion: boolean
   s3ProtocolAccessKeyId?: string
   s3ProtocolAccessKeySecret?: string
@@ -223,6 +224,8 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
 
     // S3 Protocol
     s3ProtocolPrefix: getOptionalConfigFromEnv('S3_PROTOCOL_PREFIX') || '',
+    s3ProtocolAllowForwardedHeader:
+      getOptionalConfigFromEnv('S3_ALLOW_FORWARDED_HEADER') === 'true',
     s3ProtocolEnforceRegion: getOptionalConfigFromEnv('S3_PROTOCOL_ENFORCE_REGION') === 'true',
     s3ProtocolAccessKeyId: getOptionalConfigFromEnv('S3_PROTOCOL_ACCESS_KEY_ID'),
     s3ProtocolAccessKeySecret: getOptionalConfigFromEnv('S3_PROTOCOL_ACCESS_KEY_SECRET'),

diff --git a/src/database/migrations/migrate.ts b/src/database/migrations/migrate.ts
@@ -187,7 +187,7 @@ async function connectAndMigrate(options: {
 
   const dbConfig: ClientConfig = {
     connectionString: databaseUrl,
-    connectionTimeoutMillis: 10_000,
+    connectionTimeoutMillis: 60_000,
     options: `-c search_path=${searchPath}`,
     ssl,
   }

diff --git a/src/queue/events/base-event.ts b/src/queue/events/base-event.ts
@@ -166,6 +166,7 @@ export abstract class BaseEvent<T extends Omit<BasePayload, '$version'>> {
       superUser: adminUser,
       host: payload.tenant.host,
       tenantId: payload.tenant.ref,
+      disableHostCheck: true,
     })
 
     const db = new StorageKnexDB(client, {

diff --git a/src/storage/protocols/s3/signature-v4.ts b/src/storage/protocols/s3/signature-v4.ts
@@ -3,6 +3,7 @@ import { ERRORS } from '../../errors'
 
 interface SignatureV4Options {
   enforceRegion: boolean
+  allowForwardedHeader?: boolean
   credentials: Omit<Credentials, 'shortDate'> & { secretKey: string }
 }
 
@@ -56,10 +57,12 @@ export const ALWAYS_UNSIGNABLE_HEADERS = {
 export class SignatureV4 {
   public readonly serverCredentials: SignatureV4Options['credentials']
   enforceRegion: boolean
+  allowForwardedHeader?: boolean
 
   constructor(options: SignatureV4Options) {
     this.serverCredentials = options.credentials
     this.enforceRegion = options.enforceRegion
+    this.allowForwardedHeader = options.allowForwardedHeader
   }
 
   static parseAuthorizationHeader(header: string) {
@@ -257,6 +260,16 @@ export class SignatureV4 {
         .sort()
         .map((header) => {
           if (header === 'host') {
+            if (this.allowForwardedHeader) {
+              const forwarded = this.getHeader(request, 'forwarded')
+              if (forwarded) {
+                const extractedHost = /host="?([^";]+)/.exec(forwarded)?.[1]
+                if (extractedHost) {
+                  return `host:${extractedHost.toLowerCase()}`
+                }
+              }
+            }
+
             const xForwardedHost = this.getHeader(request, 'x-forwarded-host')
             if (xForwardedHost) {
               return `host:${xForwardedHost.toLowerCase()}`