Add ErrExpiredToken error for better AWS S3 compatibility with STS session tokens

1 month ago · 060d3310ca
2 changed files with 7 additions and 1 deletions
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@ -329,7 +329,7 @@ func (iam *IdentityAccessManagement) validateSTSSessionToken(r *http.Request, se
 	// Check if the session has expired
 	if time.Now().After(sessionInfo.ExpiresAt) {
 		glog.V(2).Infof("STS session has expired at %v", sessionInfo.ExpiresAt)
-		return nil, nil, s3err.ErrAccessDenied
+		return nil, nil, s3err.ErrExpiredToken
 	}

 	// Create a credential from the session info
--- a/weed/s3api/s3err/s3api_errors.go
+++ b/weed/s3api/s3err/s3api_errors.go
@ -95,6 +95,7 @@ const (
 	ErrInvalidQueryParams
 	ErrInvalidQuerySignatureAlgo
 	ErrExpiredPresignRequest
+	ErrExpiredToken
 	ErrMalformedExpires
 	ErrNegativeExpires
 	ErrMaximumExpires
@ -405,6 +406,11 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "Request has expired",
 		HTTPStatusCode: http.StatusForbidden,
 	},
+	ErrExpiredToken: {
+		Code:           "ExpiredToken",
+		Description:    "The provided token has expired.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrMalformedExpires: {
 		Code:           "AuthorizationQueryParametersError",
 		Description:    "X-Amz-Expires should be a number",