S3 with TRPC
can somebody give me repo or tutorial how to use s3 with trpc ? (never used aws before)
10 Replies
If you're going to upload files from the client, you can't use tRPC, unless you send them as base64.
Another solution is just to create a api route and make a POST req to it with FormData or smth
- make a request to generate a put signed urls from s3
- use this url to put your file on s3 from the client
- send a final request to update database (in most cases you want to keep track of this file)
Developer Blog | Nicholas Ramkissoon
Integrate S3 Presigned URL Operations Into Your create-t3-app Project
Integrate S3 presigned URLs into your create-t3-app project to allow user file uploads directly to your S3 bucket.
Wouldn't this let any potential malicious client grab the presigned url and make a PUT req to it?
Also keeping these types of things on the client makes it harder to moderate what type of images that are uploaded, unless whatever service you're using actually has some built-in moderation you can use.
Thanks a lot
I guess in CORS policy on aws s3 bucket I should just put my domain and I should not have worries?
A step in the right direction at least
Anyway thanks a lot, Ill change those things
You set the expiration to by small enough so that there’s just enough time to initiate the upload on the client
Plus other security headers/policies
I have done this in my project librepoll https://github.com/danielmarkow/librepoll/blob/main/src/server/api/routers/formDataRouter.ts by creating an user on AWS with restricted rights. I use this user with the AWS sdk to create the presigned URLs. The bucket itself remains private.
GitHub
librepoll/formDataRouter.ts at main · danielmarkow/librepoll
easy polls for everybody. Contribute to danielmarkow/librepoll development by creating an account on GitHub.
CORS is only clientside protection, any server can just spoof the host header, meaning any malicious actor could still abuse.