I (maybe?) found a bug within the R2 access token logic. Last evening I've created a R2 access token

I (maybe?) found a bug within the R2 access token logic. Last evening I've created a R2 access token with 24 hours validity. This morning I was greeted with many 403 Forbidden errors. Looking at the Audit log I've seen that the token was invalidated / has expired at midnight. Maybe this is the expected behavior, but I would expect "Token creation" + 24 hours as the lifetime.

Bildschirmfoto_2023-01-09_um_10.33.43.png

Jjlam Thank you. For now, I'm streaming the videos through Dropbox so at least the sit...

Erisa•1/9/23, 9:44 AM

Hi, I replied to your ticket asking for the affected domains and reproduction URLs - once you get back to us with that on the ticket I can take care of escalating to the right teams

Erisa•1/9/23, 9:45 AM

And you sent it already, awesome. Thanks

kev-acOP•1/9/23, 11:09 AM

@Erisa | Support Engineer I don't have a similar issue today but want to prevent the same thing from happening to us in the future. Do you have any tools to make sure our Buckets will not get flagged for this? We are currently not using R2 for video assets in production but seeing these issues makes me nervous about a switch over.

Erisa•1/9/23, 11:11 AM

I'm not sure what to recommend there tbh, the issue is known and involves the automatic abuse detection systems flagging R2 video traffic which needs to be manually overturned. But I don't know of any ways to proactively prevent it from flagging, except for not serving large amounts of video

Erisa•1/9/23, 11:12 AM

Except for the minor probably unhelpful note that this won't happen if you're on an Enterprise plan

EErisa I'm not sure what to recommend there tbh, the issue is known and involves the au...

kev-acOP•1/9/23, 11:13 AM

Not that it would be a perfect solution, but would this be a "one time" action? So if it gets flagged and overturned manually, will it prevent it from happening again?

Erisa•1/9/23, 11:13 AM

Yes, it shouldn't happen again after it's happened once on a zone and has been reversed

kev-acOP•1/9/23, 11:16 AM

Ok. I think the endpoint does not make a difference? S3 API vs. *.r2.dev vs. Connected Domain?

Erisa•1/9/23, 11:17 AM

S3 API (including presigned URLs) won't be flagged, the issue is when you enable public access

kev-acOP•1/9/23, 11:19 AM

Maybe we can work a way out to use a worker to alter our HLS manifest files to include url signing params, but this would create huge overhead as both media segments an manifest files are in the same path prefix.

kev-acOP•1/9/23, 11:21 AM

Just to confirm, Connected Domain is generally fine for this use case? I'm still worried about this because it adds things like Cache and these are usually under the Non-HTML limits.

kev-acOP•1/9/23, 11:21 AM

Like when data comes from R2 it can be cached on the edge?

Erisa•1/9/23, 11:22 AM

ToS-wise if you're using R2 you're not in a violation of the terms even if you cache it(usual disclaimer applies, I'm not a lawyer). But connecting a domain has been known to flag the automatic detection in some cases even if you use the native Domain Access feature

Erisa•1/9/23, 11:23 AM

I'm not sure if the *.r2.dev*.r2.dev URLs can flag this, I don't think I've seen it before but

I can't guarantee anything and those don't have caching so they may not be ideal for most cases anyway

EErisa ToS-wise if you're using R2 you're not in a violation of the terms even if you c...

kev-acOP•1/9/23, 11:23 AM

Thanks for clarifying. A clear informational page in the docs would be great in the future. Reading the ToS for this kind of use-case is confusing for non-lawyers

Erisa•1/9/23, 11:24 AM

Were we able to in the end, or is the ticket still ongoing?

kev-acOP•1/9/23, 11:24 AM

If they were able to, I'm creating a ticket right away

Erisa•1/9/23, 11:25 AM

It's something I'm not sure about, if a ticket about that landed with me I would ask internally to see if its possible before doing anything

Kkev-ac Thanks for clarifying. A clear informational page in the docs would be great in ...

Erisa•1/9/23, 11:26 AM

I agree, there doesn't seem to be an issue on https://github.com/cloudflare/cloudflare-docs/issues so maybe the first step would be to file one

kev-acOP•1/9/23, 11:27 AM

I have another documentation issue open for R2 for some weeks. Are these actively worked on?

Erisa•1/9/23, 11:28 AM

Not sure sorry, not my team

EErisa Not sure sorry, not my team

kev-acOP•1/9/23, 11:28 AM

No worries

EErisa It's something I'm not sure about, if a ticket about that landed with me I would...

Walshy•1/9/23, 11:35 AM

We have done it in the past

Walshy•1/9/23, 11:35 AM

But I'm not sure it's something we'll often do

Kkev-ac I have another documentation issue open for R2 for some weeks. Are these activel...

Walshy•1/9/23, 11:36 AM

What's the issue link?

Erisa•1/9/23, 11:36 AM

https://github.com/cloudflare/cloudflare-docs/issues/7186

GitHub

Clearly explain allowed use-cases for R2 (Public Access) · Issue #7...

Which Cloudflare product(s) does this pertain to? R2 Subject Matter Allowed use-cases for R2 Content Location https://developers.cloudflare.com/r2/data-access/public-buckets/ Additional information...

Walshy•1/9/23, 11:36 AM

Kate has been OOO so she hasn't gone through these lately

Erisa•1/9/23, 11:36 AM

Oh thats the one made today

EErisa https://github.com/cloudflare/cloudflare-docs/issues/7186

kev-acOP•1/9/23, 11:36 AM

Thats the new one

kev-acOP•1/9/23, 11:36 AM

https://github.com/cloudflare/cloudflare-docs/issues/7091

GitHub

Highlight data consistency model for R2 S3 API · Issue #7091 · clou...

Which Cloudflare product does this pertain to? R2 Existing documentation URL(s) https://developers.cloudflare.com/r2/data-access/s3-api/ Section that requires update Maybe: https://developers.cloud...

kev-acOP•1/9/23, 11:36 AM

This is the "old" one

Walshy•1/9/23, 11:36 AM

Erisa•1/9/23, 11:36 AM

Thanks, I went to get the link for that one but got confused cos theres two now hahah

WWalshy But I'm not sure it's something we'll often do

Erisa•1/9/23, 11:37 AM

Yeah I imagine its the exception rather than the rule, definitely understand why some users would need this though

Erisa•1/9/23, 11:37 AM

do you have an example ticket of it being done in the past?

Walshy•1/9/23, 11:38 AM

Not handy, IIRC it was an ENT customer requesting for a non-ENT domain so I wouldn't be surprised if it was an exception

Erisa•1/9/23, 11:39 AM

Ah ic, yeah that could be a special case indeed

kev-acOP•1/9/23, 11:39 AM

BTW I've tried to create a ticket for this but I seem to not be allowed to do this in my plan.

Bildschirmfoto_2023-01-09_um_12.38.49.png

Erisa•1/9/23, 11:40 AM

Yeah free customers can only create account/billing/registrar tickets

kev-acOP•1/9/23, 11:41 AM

Should I create a account-related ticket in this case or do you think this might be a dead-end for now?

Erisa•1/9/23, 11:41 AM

Free being the zone/website plan of Free/Pro/Business/Enterprise

Kkev-ac Should I create a account-related ticket in this case or do you think this might...

Erisa•1/9/23, 11:41 AM

It may be a deadend if youre on free tbh, not sure we would do this

Erisa•1/9/23, 11:42 AM

We can definitely remove the restriction if it arises for free users though

kev-acOP•1/9/23, 11:44 AM

Our current use-case does not justify a paid zone plan tbh. Paid workers/r2 etc. yes, but not for the zone.

Erisa•1/9/23, 11:45 AM

Thats fair

Erisa•1/9/23, 11:46 AM

A lot of people upgrade to Pro for improved analytics or to get support, but if you dont need those its fair enough to stick to free

Erisa•1/9/23, 11:46 AM

support outside of me being here in my free time anyway notlikemeow

EErisa A lot of people upgrade to Pro for improved analytics or to get support, but if ...

kev-acOP•1/9/23, 11:48 AM

If the plans would be an account-thing I might be able to justify it, but as we use domains to separate some parts of our application we would need to pay x-times.

Erisa•1/9/23, 11:49 AM

Yeah some features like support are applied account-wide

I (maybe?) found a bug within the R2 access token logic. Last evening I've created a R2 access token

Similar Threads

Similar Threads

Similar Threads