Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
getSignedURL() in Google Cloud Function produces link that works for several days, then returns "SignatureDoesNotMatch" error
See original GitHub issueEnvironment details
- OS: Heroku dyno (Ubuntu 16.04)
- Node.js version: 8.6
- npm version: 6.0.0
@google-cloud/storageversion: 1.6.0
Steps to reproduce
Repo of relevant code: https://github.com/colinjstief/getSignedUrl-example
Lots of this code is copied/pasted straight from official example (link here). Code in my repo runs as a Google Cloud Function and produces a link that works for a few days (maybe 7?), and then seems to expire with “SignatureDoesNotMatch” 403 response. Full message reads:
“The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.”
URL seems valid, including this query parameter: ‘…&Expires=16730323200&Signature=…’
Both the initial request and the later request (after apparent expiration) are performed the same ways: either through an axios.get() or simply placing in browser bar. Both work at first, then both fail later.
Same issue seems to be reported here GoogleCloudPlatform/google-cloud-node#1976, here googleapis/nodejs-storage#144, and here https://github.com/firebase/functions-samples/issues/360
Issue Analytics
- State:
- Created 5 years ago
- Reactions:11
- Comments:88 (17 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@frankyn @stephenplusplus This whole thing is messy because what Firebase devs want in these cases are permanent web urls to supply to clients for downloading from GCS. Signed URLs are a very powerful tool but what I think would be beneficial is to expose the simpler “firebase flavour” permanent web URLs (based on metadata tokens) to the Firebase Admin SDK. Because currently the storage SDK for Firebase Admin == GCS SDK, the only option is to use signed URLS which, as we’ve found out, are sensitive to auth accounts [+ have been problematic in the past with auth changes in GCP architecture) and aren’t really permanent in the core by design (yes you can set them to year 2500 but that’s exactly my point). As Firebase uses its built in auth mechanism and storage rules for security and privacy on the client side, providing the firebase download URLs on the server side would be really helpful in achieving what we really want. Hope you’ll consider it.
After some googling, I found that files without read restrictions can be downloaded with the URL pattern:
https://firebasestorage.googleapis.com/v0/b/<bucketName>/o/<urlEncodedFilePath>?alt=mediaAre there any known limitations ? I just wanted to use this for publicly-accessible images*. And I plan to use this with manual versioning (no overwrite or reuse same name).
*publicly-accessible images such as product image on e-commerce website, seller’s display picture, etc.