signBlob signatures guaranteed to be valid for only 12 hours #1365
Labels
type: docs
Improvement to the documentation for an API.
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current comments fail to say how long a signed blob will be valid.
google-auth-library-nodejs/src/auth/googleauth.ts
Line 880 in 883cf25
From the iam.serviceAccounts.signBlob documentation:
This means the default behavior only generates signatures valid for up to 12 hours (may be longer, but not guaranteed to be). This turns out to be a practical problem for most users of googleapis/nodejs-storage relying on the default authClient.sign behavior for signing URLs. Even when the TTL is specified in the signature (up to 7 days for v4 signatures) the default underlying signature is only good for up to 12 hours.
This should at least be documented in both the auth library and storage library, and the storage library may consider restricting TTLs on signed URLs to 12 hours (rejecting requests for longer TTLs when used with the service-account signBlob API)
The text was updated successfully, but these errors were encountered: