[misc]: Can still request file urls for deleted files
LavaToaster opened this issue · 3 comments
I understand that this issue may be closed if it should be filed in another category
- I understand
My issue
Hello,
It seems when files are deleted, you can still request for their URLs and the server will respond.
Reproduction:
curl -X POST 'https://uploadthing.com/api/getFileUrl' \
-H 'content-type: application/json' \
-H 'x-uploadthing-api-key: <KEY>' \
-H 'x-uploadthing-version: 6.13.2' \
-H 'x-uploadthing-be-adapter: server-sdk' \
-d '{"customIds":["5ebebd60-9f8b-42c1-8f3b-8a246300ad45"]}'
The above should work for AppId lf37ku1yq5
Good catch. The returned URLs won't work, but you're right they probably shouldn't be returned at all
@markflorkowski Thanks for the quick fix.
Potentially related, are customIds reusable after being deleted? The script I'm debugging was using this as a way of checking for file existence, so now that this works I'm seeing 500 errors uploading to uploadthing. Once I changed the custom ids it was no longer erroring out.
Ah, I think this is related. We do not enforce uniqueness on customIds, and you are probably running into a conflict when reusing a key. Deleted file records are eventually cleaned up, but it is only done after files have been deleted for >1 week.
I'll have to think about how we can better support reuse of custom ids. cc @juliusmarminge