php - Amazon S3 presigned url - Invalidate manually or one time upload -


i using s3 accept direct uploads user s3. therefore using pre-signed urls.

after successful upload, aws lambda make sure file upload image, , client tell server has finished uploading.

then server check if file exists in s3 (if lambda detects invalid image, deletes it). if does, rest of application logic follow.

however, there loophole in mechanism. user can use same url upload malicious file after telling server has finished uploading (and passing valid file).

lambda still delete file, server think file exists whereas not.

is there way generate one-time upload pre-signed url, or possible forcefully invalidate url generated has not yet expired?

turning answer...

once file uploaded, have lambda move (using copy object api), i.e. uploads/123.png received/123.png or similar.

if malicious user attempts re-use signed url, it'll go uploads/123.png. worst-case, lambda checks again , rejects new file. since server's looking in received/ instead of uploads/ files process, we've rendered things safe.


Comments

Popular posts from this blog

Why does Go error when trying to marshal this JSON? -

Django REST Framework perform_create: You cannot call `.save()` after accessing `serializer.data` -

python - Pygame. TypeError: 'pygame.Surface' object is not callable -