supabase · fenos · Apr 24, 2024 · Apr 23, 2024
diff --git a/src/auth/jwt.ts b/src/auth/jwt.ts
@@ -11,7 +11,7 @@
 const JWT_ECC_ALGOS: jwt.Algorithm[] = ['ES256', 'ES384', 'ES512']
 const JWT_ED_ALGOS: jwt.Algorithm[] = ['EdDSA'] as unknown as jwt.Algorithm[] // types for EdDSA not yet updated

 interface jwtInterface {
  sub?: string
  role?: string
 }
@@ -24,6 +24,7 @@
 
 export type SignedUploadToken = {
   owner: string | undefined
+  upsert: boolean
   url: string
   exp: number
 }
@@ -47,7 +48,7 @@

    // find the first key without a kid or with the matching kid and the "oct" type
    const jwk = jwks.keys.find(
      (key) => (!key.kid || key.kid === header.kid) && key.kty === 'oct' && (key as any).k
    )

    if (!jwk) {
@@ -55,7 +56,7 @@
      return secret
    }

    return Buffer.from((jwk as any).k, 'base64')
  }

  // jwt is using an asymmetric algorithm
@@ -88,11 +89,11 @@
  jwks: { keys: { kid?: string; kty: string }[] } | null
 ): jwt.GetPublicKeyOrSecret {
  return (header: jwt.JwtHeader, callback: jwt.SigningKeyCallback) => {
    let result: any = null

    try {
      result = findJWKFromHeader(header, secret, jwks)
    } catch (e: any) {
      callback(e)
      return
    }
@@ -108,9 +109,9 @@
    const hasRSA = jwks.keys.find((key) => key.kty === 'RSA')
    const hasECC = jwks.keys.find((key) => key.kty === 'EC')
    const hasED = jwks.keys.find(
      (key) => key.kty === 'OKP' && ((key as any).crv === 'Ed25519' || (key as any).crv === 'Ed448')
    )
    const hasHS = jwks.keys.find((key) => key.kty === 'oct' && (key as any).k)

    algorithms = [
      jwtAlgorithm as jwt.Algorithm,

diff --git a/src/http/routes/object/getSignedUploadURL.ts b/src/http/routes/object/getSignedUploadURL.ts
@@ -15,6 +15,15 @@ const getSignedUploadURLParamsSchema = {
   required: ['bucketName', '*'],
 } as const
 
+const getSignedUploadURLHeadersSchema = {
+  type: 'object',
+  properties: {
+    'x-upsert': { type: 'string' },
+    authorization: { type: 'string' },
+  },
+  required: ['authorization'],
+} as const
+
 const successResponseSchema = {
   type: 'object',
   properties: {
@@ -29,6 +38,7 @@ const successResponseSchema = {
 }
 interface getSignedURLRequestInterface extends AuthenticatedRequest {
   Params: FromSchema<typeof getSignedUploadURLParamsSchema>
+  Headers: FromSchema<typeof getSignedUploadURLHeadersSchema>
 }
 
 export default async function routes(fastify: FastifyInstance) {
@@ -54,7 +64,9 @@ export default async function routes(fastify: FastifyInstance) {
 
       const signedUploadURL = await request.storage
         .from(bucketName)
-        .signUploadObjectUrl(objectName, urlPath as string, uploadSignedUrlExpirationTime, owner)
+        .signUploadObjectUrl(objectName, urlPath as string, uploadSignedUrlExpirationTime, owner, {
+          upsert: request.headers['x-upsert'] === 'true',
+        })
 
       return response.status(200).send({ url: signedUploadURL })
     }

diff --git a/src/http/routes/object/uploadSignedObject.ts b/src/http/routes/object/uploadSignedObject.ts
@@ -99,6 +99,7 @@ export default async function routes(fastify: FastifyInstance) {
         .uploadNewObject(request, {
           owner,
           objectName,
+          isUpsert: payload.upsert,
         })
 
       return response.status(objectMetadata?.httpStatusCode ?? 200).send({

diff --git a/src/storage/object.ts b/src/storage/object.ts
@@ -572,8 +572,15 @@ export class ObjectStorage {
    * @param url
    * @param expiresIn seconds
    * @param owner
+   * @param options
    */
-  async signUploadObjectUrl(objectName: string, url: string, expiresIn: number, owner?: string) {
+  async signUploadObjectUrl(
+    objectName: string,
+    url: string,
+    expiresIn: number,
+    owner?: string,
+    options?: { upsert?: boolean }
+  ) {
     // check as super user if the object already exists
     const found = await this.asSuperUser().findObject(objectName, 'id', {
       dontErrorOnEmpty: true,
@@ -584,19 +591,21 @@ export class ObjectStorage {
     }
 
     // check if user has INSERT permissions
-    await this.db.testPermission((db) => {
-      return db.createObject({
-        bucket_id: this.bucketId,
-        name: objectName,
-        owner,
-        metadata: {},
-      })
+    await this.uploader.canUpload({
+      bucketId: this.bucketId,
+      objectName,
+      owner,
+      isUpsert: options?.upsert ?? false,
     })
 
     const urlParts = url.split('/')
     const urlToSign = decodeURI(urlParts.splice(4).join('/'))
     const { secret: jwtSecret } = await getJwtSecret(this.db.tenantId)
-    const token = await signJWT({ owner, url: urlToSign }, jwtSecret, expiresIn)
+    const token = await signJWT(
+      { owner, url: urlToSign, upsert: Boolean(options?.upsert) },
+      jwtSecret,
+      expiresIn
+    )
 
     return `/object/upload/sign/${urlToSign}?token=${token}`
   }

diff --git a/src/test/object.test.ts b/src/test/object.test.ts
@@ -1544,6 +1544,73 @@ describe('testing uploading with generated signed upload URL', () => {
     expect(response.statusCode).toBe(400)
     expect(S3Backend.prototype.uploadObject).not.toHaveBeenCalled()
   })
+
+  it('will allow overwriting a file when the generating a signed upload url with x-upsert:true', async () => {
+    function createUpload() {
+      const form = new FormData()
+      form.append('file', fs.createReadStream(`./src/test/assets/sadcat.jpg`))
+      return form
+    }
+
+    const BUCKET_ID = 'bucket2'
+    const OBJECT_NAME = 'signed/sadcat-upload-signed-2.png'
+    const urlToSign = `${BUCKET_ID}/${OBJECT_NAME}`
+    const owner = '317eadce-631a-4429-a0bb-f19a7a517b4a'
+
+    // Upload a file first
+    const resp = await app().inject({
+      method: 'POST',
+      url: `/object/${urlToSign}`,
+      payload: createUpload(),
+      headers: {
+        authorization: serviceKey,
+      },
+    })
+
+    expect(resp.statusCode).toBe(200)
+
+    const jwtToken = await signJWT({ owner, url: urlToSign, upsert: true }, jwtSecret, 100)
+    const response = await app().inject({
+      method: 'PUT',
+      url: `/object/upload/sign/${urlToSign}?token=${jwtToken}`,
+      payload: createUpload(),
+    })
+    expect(response.statusCode).toBe(200)
+    expect(S3Backend.prototype.uploadObject).toHaveBeenCalled()
+  })
+
+  it('will allow not be able overwriting a file when the generating a signed upload url without x-upsert header', async () => {
+    function createUpload() {
+      const form = new FormData()
+      form.append('file', fs.createReadStream(`./src/test/assets/sadcat.jpg`))
+      return form
+    }
+
+    const BUCKET_ID = 'bucket2'
+    const OBJECT_NAME = 'signed/sadcat-upload-signed-3.png'
+    const urlToSign = `${BUCKET_ID}/${OBJECT_NAME}`
+    const owner = '317eadce-631a-4429-a0bb-f19a7a517b4a'
+
+    // Upload a file first
+    const resp = await app().inject({
+      method: 'POST',
+      url: `/object/${urlToSign}`,
+      payload: createUpload(),
+      headers: {
+        authorization: serviceKey,
+      },
+    })
+
+    expect(resp.statusCode).toBe(200)
+
+    const jwtToken = await signJWT({ owner, url: urlToSign }, jwtSecret, 100)
+    const response = await app().inject({
+      method: 'PUT',
+      url: `/object/upload/sign/${urlToSign}?token=${jwtToken}`,
+      payload: createUpload(),
+    })
+    expect(response.statusCode).toBe(400)
+  })
 })
 
 /**
@@ -1864,7 +1931,7 @@ describe('testing list objects', () => {
     })
     expect(response.statusCode).toBe(200)
     const responseJSON = JSON.parse(response.body)
-    expect(responseJSON).toHaveLength(5)
+    expect(responseJSON).toHaveLength(6)
     const names = responseJSON.map((ele: any) => ele.name)
     expect(names).toContain('curlimage.jpg')
     expect(names).toContain('private')