File Upload - Presigned URL
A Presigned URL lets the client upload directly to object storage (S3, OSS) without going through the app server for auth. The app server generates a signed URL; the client uses it to PUT/GET directly, reducing app server bandwidth and compute. This article explains the flow and main points with an example table.
Overview
- Flow: Client asks app server "I want to upload"; app server checks permissions, requests a Presigned URL from object storage (signature, expiry, method, path); returns URL to client; client uploads file to object storage via URL; optionally, storage notifies app server on completion.
- Benefits: App server does not handle file stream; saves bandwidth and CPU; storage handles storage and CDN; permission and expiry via signature.
- Security: URL expires (e.g. 15 min); signature binds method, path, expiry; can restrict Content-Type, size via policy.
Example
Example 1: Flow
Plain text1. Client → app server: request upload (filename, type, size) 2. App server: check permission → call OSS API to generate Presigned URL 3. App server → client: return Presigned URL 4. Client → OSS: PUT file to Presigned URL 5. (Optional) OSS callback to app server: upload complete, persist record
Example 2: Main points
| Point | Description |
|---|---|
| Expiry | Usually 5–15 min; avoid long-lived leaked URLs |
| Auth | App server checks identity and quota before issuing URL |
| Callback | On complete, OSS calls app server; persist record, trigger follow-up |
| Limits | Policy can restrict Content-Type, size, path prefix |
Example 3: Download
- Presigned URL also works for private download: app server checks permission, generates download URL; client redirects or accesses directly; no need to proxy file through app server.
Core Mechanism / Behavior
- Signature: HMAC over method, path, expiry, and other params; only valid for that request.
- Policy: JSON policy can enforce Content-Type, size, path; signed with secret key.
- Callback: OSS invokes app server webhook on success; verify origin and signature to prevent forgery.
Key Rules
- Expiry should not be too long; client can request a new URL if upload fails.
- Path isolated by user/business (e.g. /user/{id}/uploads/{uuid}); avoid conflict and privilege escalation.
- Callback must verify origin and signature; persist record for audit and tracking.
What's Next
See API Gateway for auth. See object storage docs (S3, OSS) for Presigned URL APIs.