Add: tus-endpoint now only needs upload-token and moved to Metadata #14
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using web-frontends around this API, two problems had to be
solved when uploading to tus:
tus needed the api-token, but the web-frontend normally doesn't
show this (as it is between the web-frontend server and the API;
the client has nothing to do with this). So switching to upload-token
only solves this problem. This is also security-wise safe, as the
upload-token is a secret generated on-demand. And it only lives for
roughly 15 minutes.
CORS is implemented, correctly, rather strict in tusd. This means
that we cannot use additional headers outside the ones in the CORS
header. This means that the upload-token has to move from headers
to Metadata. This also means that we have to trust the information
on disk about the upload. This too is security-wise safe, as this
file-uuid is a secret generated on-demand.
This commit combines these two findings and solves them both.