Content Type not enforced in s3 pre-signed POST

Question

I'm currently using the AWS javascript SDK to create pre-signed POST's. (note that this question is NOT about pre-signed PUTs/URLs, another s3 feature)

https://github.com/aws/aws-sdk-js/

When trying to create a pre-signed post I do something like the following:

const params = {
  Bucket: 'myuniques3bucket',
  Fields: {
    Key: 'key1.png',
    'Content-Type': 'image/png'
  },
  conditions: [
    {bucket: 'myuniques3bucket'},
    {key: 'key1.png'},
    {'Content-Type': 'image/png'},
    ['content-length-range', 1024, 1048576], // 1KB to 10MB
    {'x-amz-date': amzDate},
    {'x-amz-algorithm': 'AWS4-HMAC-SHA256'},
    {'x-amz-credential': `${process.env.AWS_ACCESS_KEY_ID}/20180820/us-east-2/s3/aws4_request`}
  ],
  Expires: 300  // 300 seconds
}

s3.createPresignedPost(params, (err, data) => {
  console.log(data);
});

And I'm wrapping tests around the upload processes that should not work. I'm finding that the content type is not enforced there as I can upload other file types with other content-type post params.

It's not clear to me whether the JS SDK manages the signing process for the user or if I need to do something special to get these various keys in the signature.

It's clear that I CAN do some of this, it's not clear if I NEED to. Not sure if the library is supposed to be handling that for me.

TLDR; What do I need to do to activate content-type validation with s3 pre-signed POST's using the js sdk?

Any help would be greatly appreciated.

Answer 1

The policy document is only specifying what the form fields must contain in order for S3 to accept the signed request as valid -- in this case, that the form must claim that the content-type is image/png so that S3 will store the object with Content-Type: image/png. This mechanism doesn't actually validate the content-type of the object itself. S3 doesn't have a way of doing that, nor does the JS SDK.

You could do it in JS in the browser or you could do it after the upload, using an S3 event to notify a background process that the uploaded content needs to be validated. Post-processing images is probably a good practice, anyway, because you often want to strip out any inappropriate metadata, such as data included in some images identifying the location where the photo was taken.