对象存储预签名URL治理（expires/范围/IP白名单）最佳实践

背景与价值预签名URL若无治理易被滥用。统一过期、范围与来源校验，可显著降低风险并提升可审计能力。统一规范有效期：`expires` 不得超过业务上限（如15分钟）。资源范围：仅允许指定前缀下资源访问，拒绝任意路径。IP白名单：仅允许批准IP来源访问。核心实现签名生成与校验function enc(s: string): Uint8Array { return new TextEncoder().encode(s) } async function importHmac(secret: ArrayBuffer): Promise<CryptoKey> { return crypto.subtle.importKey('raw', secret, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']) } async function hmac(key: CryptoKey, data: string): Promise<string> { const raw = await crypto.subtle.sign('HMAC', key, enc(data)) const u = new Uint8Array(raw) let s = '' for (let i=0;i<u.length;i++) s += String.fromCharCode(u[i]) return btoa(s).replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/,'') } type Token = { path: string; expires: number; sig: string } async function signToken(path: string, expires: number, key: CryptoKey): Promise<Token> { const payload = path + '|' + String(expires) const sig = await hmac(key, payload) return { path, expires, sig } } function withinPrefix(path: string, prefix: string): boolean { return path.startsWith(prefix) } function ipAllowed(ip: string, allow: Set<string>): boolean { return allow.has(ip) } async function verifyToken(t: Token, key: CryptoKey, prefix: string, ip: string, allow: Set<string>, maxExpMs: number): Promise<boolean> { if (!withinPrefix(t.path, prefix)) return false if (!ipAllowed(ip, allow)) return false const now = Date.now() if (t.expires - now > maxExpMs || now > t.expires) return false const expect = await hmac(key, t.path + '|' + String(t.expires)) return expect === t.sig } 落地建议为预签名URL设置较短有效期，拒绝超上限；资源路径限定前缀并记录审计。配置来源IP白名单并在边缘进行阻断与校验，减少外泄面。将签名策略与网关协同，统一过期与来源策略并清理失效令牌。验证清单`expires` 是否在上限内且未过期。`path` 是否命中前缀范围，来源IP是否在白名单内。签名是否与负载一致并通过校验。