From 060d3310ca79f1fddb33a636a35bf6b942d11dc2 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Fri, 2 Jan 2026 19:00:09 -0800 Subject: [PATCH] Add ErrExpiredToken error for better AWS S3 compatibility with STS session tokens --- weed/s3api/auth_signature_v4.go | 2 +- weed/s3api/s3err/s3api_errors.go | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go index 60ddf7218..bb5036ad0 100644 --- a/weed/s3api/auth_signature_v4.go +++ b/weed/s3api/auth_signature_v4.go @@ -329,7 +329,7 @@ func (iam *IdentityAccessManagement) validateSTSSessionToken(r *http.Request, se // Check if the session has expired if time.Now().After(sessionInfo.ExpiresAt) { glog.V(2).Infof("STS session has expired at %v", sessionInfo.ExpiresAt) - return nil, nil, s3err.ErrAccessDenied + return nil, nil, s3err.ErrExpiredToken } // Create a credential from the session info diff --git a/weed/s3api/s3err/s3api_errors.go b/weed/s3api/s3err/s3api_errors.go index 189c6ba86..a23ff2aca 100644 --- a/weed/s3api/s3err/s3api_errors.go +++ b/weed/s3api/s3err/s3api_errors.go @@ -95,6 +95,7 @@ const ( ErrInvalidQueryParams ErrInvalidQuerySignatureAlgo ErrExpiredPresignRequest + ErrExpiredToken ErrMalformedExpires ErrNegativeExpires ErrMaximumExpires @@ -405,6 +406,11 @@ var errorCodeResponse = map[ErrorCode]APIError{ Description: "Request has expired", HTTPStatusCode: http.StatusForbidden, }, + ErrExpiredToken: { + Code: "ExpiredToken", + Description: "The provided token has expired.", + HTTPStatusCode: http.StatusBadRequest, + }, ErrMalformedExpires: { Code: "AuthorizationQueryParametersError", Description: "X-Amz-Expires should be a number",