核心价值通过 HMAC 签名与过期时间控制静态资源访问,降低未授权分享风险。在 Edge 路由中高性能验证并安全代理到后端或 CDN。实现export const runtime = 'edge'
const SECRET = 'super-secret'
async function hmac(input: string) {
const enc = new TextEncoder()
const key = await crypto.subtle.importKey('raw', enc.encode(SECRET), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'])
const mac = await crypto.subtle.sign('HMAC', key, enc.encode(input))
return btoa(String.fromCharCode(...new Uint8Array(mac)))
}
export async function GET(req: Request) {
const url = new URL(req.url)
const path = url.searchParams.get('path') || ''
const exp = Number(url.searchParams.get('exp') || 0)
const sig = url.searchParams.get('sig') || ''
if (!path || !exp || !sig) return new Response('Forbidden', { status: 403 })
const now = Math.floor(Date.now() / 1000)
if (now > exp) return new Response('Expired', { status: 403 })
const expected = await hmac(`${path}:${exp}`)
if (sig !== expected) return new Response('Forbidden', { status: 403 })
const target = `https://cdn.example.com/${path}`
const res = await fetch(target)
if (!res.ok) return new Response('Not Found', { status: 404 })
return new Response(res.body, {
headers: {
'Content-Type': res.headers.get('content-type') || 'application/octet-stream',
'Cache-Control': 'private, max-age=60',
},
})
}
治理建议令牌仅覆盖资源路径与过期时间,避免包含敏感信息;令牌有效期应短且可撤销。对下载量大的资源结合 `Range` 支持与限速策略;并记录审计日志以便追踪。结论Signed URL 在静态资源场景下易于落地且高效,结合边缘验证可显著提升访问控制的安全性与可用性。
发表评论 取消回复