Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

S3 Presigned URL Multiple Content Disposition Headers

I have an S3 bucket having PDF files as objects and all of them are private. I create an S3 Presigned URL programmatically to get the object. It works fine. Now, I want it to be previewable as a PDF. Every object already has a Content-Type header set to application/pdf. Now, if I set the response-content-disposition header as a query parameter, it gets set but doesn't override the already existing Content-disposition header, instead, it creates a new one. If I set the Content-Disposition header in the metadata of the S3 object instead of adding it in the S3 Presigned URL as a query parameter, it still shows 2 headers. Is this some kind of bug on the AWS S3 side?

Below is the screenshot of the Response Header for reference.

Con

Any help will be much appreciated. Thanks.

like image 638
Abdullah Khawer Avatar asked Jan 10 '20 15:01

Abdullah Khawer


People also ask

Does S3 bucket need to be public for Presigned URL?

All objects and buckets are private by default. However, you can use a presigned URL to optionally share objects or allow your customers/users to upload objects to buckets without AWS security credentials or permissions.

How does S3 Presigned URL work?

Pre-signed URLs are used to provide short-term access to a private object in your S3 bucket. They work by appending an AWS Access Key, expiration time, and Sigv4 signature as query parameters to the S3 object. There are two common use cases when you may want to use them: Simple, occasional sharing of private files.

How long is S3 Presigned URL valid for?

In the Amazon S3 console, the maximum expiration time for a presigned URL is 12 hours from the time of creation.

How secure is pre-signed URL in S3?

There is an access check on the S3 side but that only checks whether the signer entity is allowed to get the file. You can remove that permission but that invalidates all signed URLs. Signed URLs provide secure a way to distribute private content without streaming them through the backend.


1 Answers

I have solved this issue using the latest API available for this thing from AWS SDK for NodeJS using the following code:

const aws = require('aws-sdk');

const AWS_SIGNATURE_VERSION = 'v4';

const s3 = new aws.S3({
  accessKeyId: <aws-access-key>,
  secretAccessKey: <aws-secret-access-key>,
  region: <aws-region>,
  signatureVersion: AWS_SIGNATURE_VERSION
});

/**
 * Return a signed document URL given a Document instance
 * @param  {object} document Document
 * @return {string}          Pre-signed URL to document in S3 bucket
 */
const getS3SignedDocumentURL = (docName) => {
  const url = s3.getSignedUrl('getObject', {
    Bucket: <aws-s3-bucket-name>,
    Key: <aws-s3-object-key>,
    Expires: <url-expiry-time-in-seconds>,
    ResponseContentDisposition: `attachment; filename="${docName}"`
  });

  return url;
};

/**
 * Return a signed document URL previewable given a Document instance
 * @param  {object} document Document
 * @return {string}          Pre-signed URL to previewable document in S3 bucket
 */
const getS3SignedDocumentURLPreviewable = (docName) => {
  const url = s3.getSignedUrl('getObject', {
    Bucket: <aws-s3-bucket-name>,
    Key: <aws-s3-object-key>,
    Expires: <url-expiry-time-in-seconds>,
    ResponseContentDisposition: `inline; filename="${docName}"`
  });

  return url;
};

module.exports = {
  getS3SignedDocumentURL,
  getS3SignedDocumentURLPreviewable
};

Note: Don't forget to replace the placeholders (<...>) with actual values to make it work.

like image 59
Abdullah Khawer Avatar answered Sep 20 '22 11:09

Abdullah Khawer