pingdotgg/uploadthing

[misc]: Can still request file urls for deleted files

LavaToaster opened this issue · 3 comments

I understand that this issue may be closed if it should be filed in another category

  • I understand

My issue

Hello,

It seems when files are deleted, you can still request for their URLs and the server will respond.

Reproduction:

curl -X POST 'https://uploadthing.com/api/getFileUrl' \
-H 'content-type: application/json' \
-H 'x-uploadthing-api-key: <KEY>' \
-H 'x-uploadthing-version: 6.13.2' \
-H 'x-uploadthing-be-adapter: server-sdk' \
-d '{"customIds":["5ebebd60-9f8b-42c1-8f3b-8a246300ad45"]}'

The above should work for AppId lf37ku1yq5

Good catch. The returned URLs won't work, but you're right they probably shouldn't be returned at all

@markflorkowski Thanks for the quick fix.

Potentially related, are customIds reusable after being deleted? The script I'm debugging was using this as a way of checking for file existence, so now that this works I'm seeing 500 errors uploading to uploadthing. Once I changed the custom ids it was no longer erroring out.

Ah, I think this is related. We do not enforce uniqueness on customIds, and you are probably running into a conflict when reusing a key. Deleted file records are eventually cleaned up, but it is only done after files have been deleted for >1 week.

I'll have to think about how we can better support reuse of custom ids. cc @juliusmarminge