You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Images] Add backend clarification for signed image URLs (#28258)
* [Images] Add backend clarification for signed image URLs
* Clarification
* [Images] Use wrangler secret for signing key and fix code example bugs
- Replace hardcoded KEY constant with env.IMAGES_SIGNING_KEY binding
- Add note guiding users to store keys via wrangler secret put
- Fix event.request.url bug (should be request.url in fetch handler)
- Add TypeScript types to function signatures
- Minor clarity improvements to prose and code comments
* Apply suggestion from @ranbel
Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com>
---------
Co-authored-by: opencode-agent[bot] <opencode-agent[bot]@users.noreply.github.com>
Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com>
Copy file name to clipboardExpand all lines: src/content/docs/images/manage-images/serve-images/serve-private-images.mdx
+22-11Lines changed: 22 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,25 +22,35 @@ Private images do not currently support custom paths.
22
22
23
23
:::
24
24
25
-
The example below uses a Worker that takes in a regular URL without a signed token and returns a tokenized URL that expires after one day. You can, however, set this expiration period to whatever you need, by changing the const `EXPIRATION` value.
25
+
## Generate signed URLs from your backend
26
+
27
+
Signed URLs are generated server-side to protect your signing key. The example below uses a Cloudflare Worker, but the same signing logic can be implemented in any backend environment (Node.js, Python, PHP, Go, etc.).
28
+
29
+
The Worker accepts a regular Images URL and returns a signed URL that expires after one day. Adjust the `EXPIRATION` value to set a different expiry period.
30
+
31
+
:::note
32
+
Never hardcode your signing key in source code. Store it as a secret using [`npx wrangler secret put`](/workers/wrangler/commands/#secret) and access it via the `env` parameter. For more information, refer to [Secrets](/workers/configuration/secrets/).
33
+
:::
26
34
27
35
<TypeScriptExample>
28
36
29
37
```ts
30
-
const KEY ="YOUR_KEY_FROM_IMAGES_DASHBOARD";
31
38
const EXPIRATION =60*60*24; // 1 day
32
39
33
-
const bufferToHex = (buffer) =>
40
+
const bufferToHex = (buffer:ArrayBuffer) =>
34
41
[...newUint8Array(buffer)]
35
42
.map((x) =>x.toString(16).padStart(2, "0"))
36
43
.join("");
37
44
38
-
asyncfunction generateSignedUrl(url) {
45
+
asyncfunction generateSignedUrl(
46
+
url:URL,
47
+
signingKey:string,
48
+
):Promise<Response> {
39
49
// `url` is a full imagedelivery.net URL
40
50
// e.g. https://imagedelivery.net/cheeW4oKsx5ljh8e8BoL2A/bc27a117-9509-446b-8c69-c81bfeac0a01/mobile
41
51
42
52
const encoder =newTextEncoder();
43
-
const secretKeyData =encoder.encode(KEY);
53
+
const secretKeyData =encoder.encode(signingKey);
44
54
const key =awaitcrypto.subtle.importKey(
45
55
"raw",
46
56
secretKeyData,
@@ -49,38 +59,39 @@ async function generateSignedUrl(url) {
![opencode-agent[bot]](https://avatars.githubusercontent.com/in/1549082?v=4&size=40){kind=avatar}
0 commit comments