fix(storage): sign only ACL in presigned URLs, rename fields to requiredHeaders

[abhay-ramesh]

Summary

Follows up on #164 with a more precise implementation of the presigned URL header signing.

The problem with #164's approach: It signed Content-Type and all x-amz-meta-* headers alongside x-amz-acl. When headers are in SignedHeaders, the browser XHR must send them — which means the S3 bucket CORS config must allow them. Most existing deployments only allow Content-Type, so adding x-amz-meta-* to signed headers would break uploads silently on upgrade.

The key insight: With signQuery: true (AWS SigV4 query-string signing), only headers listed in X-Amz-SignedHeaders are verified. Additional headers sent by the client (Content-Type, x-amz-meta-*) pass through and are stored by S3 without signature verification. So only x-amz-acl needs to be signed — it's the only header AWS won't apply unless it's in SignedHeaders.

Changes

• Sign only x-amz-acl — Content-Type and metadata go into requiredHeaders but are not signed. Client sends all of them; AWS verifies only ACL.
• Rename fields → requiredHeaders — fields is S3 POST (multipart form) terminology. For presigned PUT uploads the correct name is requiredHeaders.
• Add S3AclValue union type — replaces acl?: string on BaseProviderConfig and UploadConfig.defaults. Typos like "public_read" are now caught at compile time.
• Fix and expand tests — verify metadata is in requiredHeaders but absent from the signed request, add MinIO coverage, correct assertions to match actual provider defaults.

CORS impact for users

Scenario	Before this PR	After this PR
No ACL configured	No change needed	No change needed
acl: 'public-read' on AWS S3	Add x-amz-acl to AllowedHeaders	Add x-amz-acl to AllowedHeaders
Cloudflare R2	No change needed	No change needed
MinIO	No change needed	No change needed

Users with middleware metadata no longer need to add x-amz-meta-* to their bucket CORS config.

Test plan

• All 8 presigned URL signing tests pass
• Manual upload test with acl: 'public-read' on AWS S3 (verify file is publicly accessible)
• Manual upload test with Cloudflare R2 (verify no CORS errors, no x-amz-acl header sent)
• Verify acl?: S3AclValue autocomplete works in IDE

Summary by CodeRabbit

• Bug Fixes

  • Presigned upload responses now return requiredHeaders for PUT uploads; client upload flow uses those headers.
  • Headers are split into signed vs unsigned: only ACL is signed; metadata headers are excluded from the signed payload. ACL values are validated and ignored for Cloudflare R2 and MinIO.

• Tests

  • Updated tests to validate the requiredHeaders shape and provider-specific ACL behavior.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pushduck	Ready	Preview, Comment	Apr 7, 2026 8:03pm

[coderabbitai]

Warning

Rate limit exceeded

@abhay-ramesh has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 16 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 23 minutes and 16 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 072340c8-10dd-4936-9812-8147a0532be8

📥 Commits

Reviewing files that changed from the base of the PR and between 50f1302 and c4d932b.

📒 Files selected for processing (1)

• packages/pushduck/src/core/router/router-v2.ts

📝 Walkthrough

Walkthrough

Presigned upload contract changed from POST fields to PUT requiredHeaders; header signing now only signs x-amz-acl while Content-Type and x-amz-meta-* remain unsigned/returned. ACL typing (S3AclValue) added and R2/MinIO explicitly omit ACL in required/signed headers.

Changes

Cohort / File(s)	Summary
Type Definitions packages/pushduck/src/core/providers/providers.ts, packages/pushduck/src/core/config/upload-config.ts	Added exported S3AclValue union and changed BaseProviderConfig.acl and UploadConfig.defaults.acl types from string to S3AclValue. Docs note ACL is ignored for Cloudflare R2 and MinIO.
Storage Client Logic packages/pushduck/src/core/storage/client.ts	Replaced fields with requiredHeaders in PresignedUrlResult. Added preparePresignHeaders() to split headers into signed (only x-amz-acl) and unsigned (e.g., Content-Type, x-amz-meta-*); only signed is passed to awsClient.sign(). Updated debug logs and ACL handling.
Router & API Contract packages/pushduck/src/core/router/router-v2.ts	PresignedUrlResponse now exposes requiredHeaders?: Record<string,string> instead of fields; router maps presign results into requiredHeaders.
Client Integration / Hook packages/pushduck/src/hooks/use-upload-route.ts	uploadToS3() now accepts requiredHeaders?: Record<string,string> and sets headers via xhr.setRequestHeader; upload flow updated to use result.requiredHeaders.
Tests packages/pushduck/src/__tests__/presigned-url-signing.test.ts	Tests updated to assert requiredHeaders behavior and that sign() is called only with x-amz-acl. New/updated provider tests assert Cloudflare R2 and MinIO omit ACL from required and signed headers.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Router
    participant StorageClient as Storage Client
    participant AwsClient as AWS Client

    Client->>Router: generatePresignedUrls(config)
    Router->>StorageClient: generatePresignedUploadUrl(options)
    StorageClient->>StorageClient: preparePresignHeaders()\nsigned: { x-amz-acl }\nunsigned: { Content-Type, x-amz-meta-* }
    StorageClient->>AwsClient: sign(signed)
    AwsClient-->>StorageClient: signed signature / signed headers
    StorageClient-->>Router: PresignedUrlResult { url, requiredHeaders }
    Router-->>Client: PresignedUrlResponse { url, requiredHeaders }
    Client->>Client: uploadToS3(url, requiredHeaders)\nset headers via xhr.setRequestHeader()\nPUT file with requiredHeaders

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• PR #164: Modifies presign flow and header signing behavior; touches same storage/client, router, and hook codepaths.
• PR #157: Changes generatePresignedUploadUrl() in storage/client.ts; overlaps URL/presign generation logic.
• PR #147: Alters presigned-upload metadata/key construction and intersects with header/metadata handling here.

Poem

🐰 I split the headers, hopped two by two,
Signed the ACL, left the rest for you.
PUT takes the stage where POST once played,
Types snug the ACL, R2 skips the braid,
Tests did a jig — hop, merge, hooray! 🎉

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description provides a clear summary with problem statement, key insight, comprehensive changes list, CORS impact table, and test plan. However, it does not follow the provided template structure with required sections.	While substantive and informative, the description deviates significantly from the template's structure. Consider adding explicit sections for Type of Change, Testing checkboxes, and other template sections to ensure consistency with repository standards.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the two main changes: signing only ACL headers and renaming fields to requiredHeaders, matching the core modifications across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/acl-presigned-headers

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/pushduck/src/core/router/router-v2.ts (1)

937-943: ⚠️ Potential issue | 🟠 Major

Keep a deprecated fields alias for one rollout window.

This renames the presign wire contract outright. During a server-first rollout, older browser bundles that still read fields will stop sending ACL/metadata headers. Returning both keys here avoids breaking cached clients while requiredHeaders rolls out.

🔁 Compatibility shim

         results.push({
           success: true,
           file,
           presignedUrl: presignedResult.url,
           key: presignedResult.key,
+          fields: presignedResult.requiredHeaders, // deprecated; remove in the next major
           requiredHeaders: presignedResult.requiredHeaders,
           metadata: fileMetadata,
         });

 export interface PresignedUrlResponse {
   success: boolean;
   file: S3FileMetadata;
   presignedUrl?: string;
   key?: string;
+  /** `@deprecated` Use `requiredHeaders`. */
+  fields?: Record<string, string>;
   /** Headers the client must send with the PUT request. See {`@link` PresignedUrlResult.requiredHeaders}. */
   requiredHeaders?: Record<string, string>;
   metadata?: any;
   error?: string;
 }

Also applies to: 1045-1051

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/pushduck/src/core/router/router-v2.ts` around lines 937 - 943,
Update the presign response object to include the deprecated "fields" alias
alongside the new "requiredHeaders" so old browser bundles keep working: when
building the object in the results.push call (the block that uses
presignedResult.url, presignedResult.key, presignedResult.requiredHeaders,
metadata/fileMetadata), add a fields property that points to the same data
(e.g., fields: presignedResult.requiredHeaders). Make the same change at the
other identical response construction (the second results.push around the
1045–1051 region) so both returning shapes include requiredHeaders and the
deprecated fields alias.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/pushduck/src/core/providers/providers.ts`:
- Around line 80-87: The S3AclValue union in providers.ts is missing the valid
canned ACL "aws-exec-read"; update the S3AclValue type (the union declaration
named S3AclValue) to include the string literal "aws-exec-read" alongside the
other ACL values so the type covers this Amazon S3 canned ACL.

In `@packages/pushduck/src/core/storage/client.ts`:
- Around line 751-760: The code still requires browser CORS for x-amz-meta-*
because use-upload-route.ts populates requiredHeaders with metadata and the
client sends them; update the flow so presigned PUT headers (the function around
preparePresignedPutHeaders / the presigned PUT generation in client.ts) do NOT
include x-amz-meta-* in requiredHeaders sent to the browser. Instead return
metadata as a separate JSON field (or persist it server-side) and apply it
server-side after upload (e.g., copy/replace object metadata or use S3 tagging)
so the browser no longer needs to send x-amz-meta-* request headers; also remove
x-amz-meta-* from requiredHeaders population in use-upload-route.ts (the code
around requiredHeaders assignment at lines ~233-236).

In `@packages/pushduck/src/hooks/use-upload-route.ts`:
- Around line 233-240: The fallback for older servers only sets Content-Type and
ignores presign `fields`, causing missing headers like `x-amz-acl` or
`x-amz-meta-*`; update the upload logic in use-upload-route (the block that
currently checks `requiredHeaders` and calls `xhr.setRequestHeader`) to also
read and apply `result.fields` when `requiredHeaders` is absent (or merge both
when present), i.e., iterate over `result.fields` and call
`xhr.setRequestHeader` for each key/value (in addition to `Content-Type`), and
ensure the code path that forwards `result.requiredHeaders` (around where
`requiredHeaders` is assigned/used) preserves both shapes so older presign
responses' metadata is included.

---

Outside diff comments:
In `@packages/pushduck/src/core/router/router-v2.ts`:
- Around line 937-943: Update the presign response object to include the
deprecated "fields" alias alongside the new "requiredHeaders" so old browser
bundles keep working: when building the object in the results.push call (the
block that uses presignedResult.url, presignedResult.key,
presignedResult.requiredHeaders, metadata/fileMetadata), add a fields property
that points to the same data (e.g., fields: presignedResult.requiredHeaders).
Make the same change at the other identical response construction (the second
results.push around the 1045–1051 region) so both returning shapes include
requiredHeaders and the deprecated fields alias.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e211a878-1033-4294-bc65-ada0c5f00a4c

📥 Commits

Reviewing files that changed from the base of the PR and between 607af32 and 032ba6b.

📒 Files selected for processing (6)

• packages/pushduck/src/__tests__/presigned-url-signing.test.ts
• packages/pushduck/src/core/config/upload-config.ts
• packages/pushduck/src/core/providers/providers.ts
• packages/pushduck/src/core/router/router-v2.ts
• packages/pushduck/src/core/storage/client.ts
• packages/pushduck/src/hooks/use-upload-route.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Does Amazon S3 support the canned ACL value aws-exec-read, and what are the full set of canned ACL values?

💡 Result:

Yes, Amazon S3 supports the canned ACL value aws-exec-read for both buckets and objects. It grants FULL_CONTROL to the owner and READ access to Amazon EC2 for retrieving Amazon Machine Image (AMI) bundles. The full set of supported canned ACL values, applicable to buckets and/or objects as noted, are: - private: Owner gets FULL_CONTROL. No one else has access (default for both buckets and objects). - public-read: Owner gets FULL_CONTROL. AllUsers group gets READ (both). - public-read-write: Owner gets FULL_CONTROL. AllUsers group gets READ and WRITE (both; not recommended for buckets). - aws-exec-read: Owner gets FULL_CONTROL. Amazon EC2 gets READ (both). - authenticated-read: Owner gets FULL_CONTROL. AuthenticatedUsers group gets READ (both). - bucket-owner-read: Object owner gets FULL_CONTROL. Bucket owner gets READ (objects only; ignored for buckets). - bucket-owner-full-control: Object owner and bucket owner both get FULL_CONTROL (objects only; ignored for buckets). - log-delivery-write: LogDelivery group gets WRITE and READ_ACP (buckets only).

Citations:

• 1: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html
• 2: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/model/CannedAccessControlList.html
• 3: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html
• 4: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object-acl.html

---

Add the missing aws-exec-read canned ACL.

The S3AclValue union omits aws-exec-read, a valid Amazon S3 canned ACL that grants FULL_CONTROL to the owner and READ access to Amazon EC2 for AMI bundle retrieval.

➕ Complete the ACL union

 export type S3AclValue =
   | "private"
   | "public-read"
   | "public-read-write"
+  | "aws-exec-read"
   | "authenticated-read"
   | "bucket-owner-read"
   | "bucket-owner-full-control"
   | "log-delivery-write";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/pushduck/src/core/providers/providers.ts` around lines 80 - 87, The
S3AclValue union in providers.ts is missing the valid canned ACL
"aws-exec-read"; update the S3AclValue type (the union declaration named
S3AclValue) to include the string literal "aws-exec-read" alongside the other
ACL values so the type covers this Amazon S3 canned ACL.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The old-server fallback never reads fields.

Line 683 only forwards result.requiredHeaders, so when a newer client hits an older server the fallback at Lines 233-240 sends just Content-Type. Any old presign response that put x-amz-acl or x-amz-meta-* in fields will fail signature validation or lose metadata.

🪛 Read both response shapes during the transition

             const blob = earlyBlob ?? await toBlob(file);
+            const uploadHeaders = result.requiredHeaders ?? result.fields;

             await uploadToS3(
               blob,
               fileMeta.type,
               result.presignedUrl,
-              result.requiredHeaders,
+              uploadHeaders,
               (progress, uploadSpeed, eta) =>
                 updateFileProgress(fileState.id, progress, uploadSpeed, eta)
             );

Also applies to: 679-683

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/pushduck/src/hooks/use-upload-route.ts` around lines 233 - 240, The
fallback for older servers only sets Content-Type and ignores presign `fields`,
causing missing headers like `x-amz-acl` or `x-amz-meta-*`; update the upload
logic in use-upload-route (the block that currently checks `requiredHeaders` and
calls `xhr.setRequestHeader`) to also read and apply `result.fields` when
`requiredHeaders` is absent (or merge both when present), i.e., iterate over
`result.fields` and call `xhr.setRequestHeader` for each key/value (in addition
to `Content-Type`), and ensure the code path that forwards
`result.requiredHeaders` (around where `requiredHeaders` is assigned/used)
preserves both shapes so older presign responses' metadata is included.

[coderabbitai]

♻️ Duplicate comments (1)

packages/pushduck/src/core/storage/client.ts (1)

598-614: ⚠️ Potential issue | 🟠 Major

metadata became a silent no-op for presigned PUTs.

preparePresignHeaders() now drops every x-amz-meta-* header, but generatePresignedUploadUrl() still accepts options.metadata and returns no other path to persist it. router-v2.ts still passes s3Metadata into this API, so uploads can succeed while the object loses metadata. Please either add the server-side completion/persistence step now, or fail fast when options.metadata is present; the requiredHeaders docs in this file should be updated in the same change.

Safer short-term fix

 function preparePresignHeaders(
   uploadConfig: UploadConfig,
   options: {
     contentType?: string;
     metadata?: Record<string, string>;
   }
 ): { signed: Record<string, string>; unsigned: Record<string, string> } {
   const { provider, acl: providerAcl } = uploadConfig.provider;
   const signed: Record<string, string> = {};
   const unsigned: Record<string, string> = {};
+
+  if (options.metadata && Object.keys(options.metadata).length > 0) {
+    throw new Error(
+      "Presigned PUT uploads do not currently support object metadata without a server-side completion step."
+    );
+  }

Also applies to: 781-790, 828-849

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/pushduck/src/core/storage/client.ts` around lines 598 - 614, The
presigned PUT flow drops x-amz-meta-* headers in preparePresignHeaders causing
options.metadata passed to generatePresignedUploadUrl (and from router-v2.ts's
s3Metadata) to be silently ignored; update the flow to either persist metadata
server-side during the upload completion step or reject/fail fast when
options.metadata is provided. Specifically: in preparePresignHeaders ensure
x-amz-meta-* headers are preserved or propagated into the returned
requiredHeaders, or modify generatePresignedUploadUrl to validate
options.metadata and throw an error if metadata is present (and document this
behavior); also update the requiredHeaders JSDoc to correctly describe handling
of x-amz-meta-* and reflect the chosen behavior. Ensure references to
preparePresignHeaders, generatePresignedUploadUrl, options.metadata, and
router-v2.ts's s3Metadata are addressed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@packages/pushduck/src/core/storage/client.ts`:
- Around line 598-614: The presigned PUT flow drops x-amz-meta-* headers in
preparePresignHeaders causing options.metadata passed to
generatePresignedUploadUrl (and from router-v2.ts's s3Metadata) to be silently
ignored; update the flow to either persist metadata server-side during the
upload completion step or reject/fail fast when options.metadata is provided.
Specifically: in preparePresignHeaders ensure x-amz-meta-* headers are preserved
or propagated into the returned requiredHeaders, or modify
generatePresignedUploadUrl to validate options.metadata and throw an error if
metadata is present (and document this behavior); also update the
requiredHeaders JSDoc to correctly describe handling of x-amz-meta-* and reflect
the chosen behavior. Ensure references to preparePresignHeaders,
generatePresignedUploadUrl, options.metadata, and router-v2.ts's s3Metadata are
addressed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4aebea5c-7350-4336-9e1f-beaf4b23637d

📥 Commits

Reviewing files that changed from the base of the PR and between 032ba6b and df3cb32.

📒 Files selected for processing (2)

• packages/pushduck/src/__tests__/presigned-url-signing.test.ts
• packages/pushduck/src/core/storage/client.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/pushduck/src/tests/presigned-url-signing.test.ts