'Signed URL result with random AuthenticationRequired

I have a CDN in gcloud configured with a storage bucket backend, the bucket is private and I give the ObjectViewer permission to the CDN service account (serviceAccount:[email protected])

I have an API to request files from a CDN :

  • This API check if the user is allowed to download the requested file
  • Compute a signed URL for this file using the CDN URL
  • Redirect the user with the computed signed url

Most of the time, the client succeed to download file and receive 200, but I have randomly errors when my client (mobile app) was redirected to the signed URL : 

<?xml version='1.0' encoding='UTF-8'?><Error><Code>AuthenticationRequired</Code><Message>Authentication required.</Message></Error>

Generate a new signed URL didn't fix this issue : the error was sent during X minutes/seconds.

My API reply with 301 and didn't trigger authorization errors. This error was sent by the CND HTTP load balancer with a status code 401.

Here is my function to generate signed URL : 

func signURL(url string) (string, errors.Mwm) {
    expirationTime := time.Now().UTC().Add(internal.DefaultSignedURLValidTime).Unix()
    cdnKeyValue, err := internal.GetCDNSignKeyValue()
    if err != nil {
        return "", err
    }

    sep := "?"
    if strings.Contains(url, "?") {
        sep = "&"
    }
    url += sep
    url += fmt.Sprintf("Expires=%d", expirationTime)
    url += fmt.Sprintf("&KeyName=%s", internal.CdnSignKeyName)

    mac := hmac.New(sha1.New, cdnKeyValue)
    mac.Write([]byte(url))
    sig := base64.URLEncoding.EncodeToString(mac.Sum(nil))
    url += fmt.Sprintf("&Signature=%s", sig)
    return url, nil
}
gogoogle-cloud-platformcdnpre-signed-urlgoogle-cloud-cdn


Solution 1:[1]

Solved :

My API take an Authorization header to auth the user and check if he's allowed to download the file. But an HTTP redirection keep the headers.

If the CDN doesn't have the requested file in cache, the user was redirected to GCS and a 401 is sent for an authorization conflict method due to the Signature query param and the Authorization header :

This error indicates a problem with the authorization provided in the request to Cloud Storage. The following are some situations where that will occur :

  • Multiple non-matching authorizations were provided; choose one mode only

This doc helps me

I just change my Authorization with an other, and it solved the authorizations conflict.

Solution 2:[2]

In my case, I had Basic Auth in the frontend webserver. When my actual site accessed files in the bucket which also routed via the Load Balancer as another backend, that header caused issues.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Dany Sousa
Solution 2

Related Questions

How do I find the size of the array in go

How to cache the compiled regex in Go

Adding metric labels in prometheus on the fly

Golang http request results in EOF errors when making multiple requests successively

Chromedp with Golang has deadline exceeded if element doesnt exist. Is there a way to extend the context timeout after a deadline?

Is a Go goroutine a coroutine?

How to delete an element from a Slice in Golang

Need help on creating a UDF, returning "Unable to create a new Lua state"

chromedp - Go - Show invalid printer settings error (-32000) - When setting WithMarginTop

How to sort map by value and if value equals then by key in Go?

How to correctly set Mock Row and Query for go-sqlmock

Mock functions in Go

How do I reverse an array in Go?

Increase Heap size in GO

Go linter in VS code not working for packages across multiple files?