From 46d6c3919ececccf29e725262989bdfd7cc13d64 Mon Sep 17 00:00:00 2001 From: chrislu Date: Sun, 16 Nov 2025 16:02:19 -0800 Subject: [PATCH] jwt in request header --- weed/s3api/s3api_object_handlers.go | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index f4d7f3438..b5c9b56da 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -2535,14 +2535,6 @@ func (s3a *S3ApiServer) createEncryptedChunkReader(chunk *filer_pb.FileChunk) (i return nil, fmt.Errorf("lookup volume URL for chunk %s: %v", chunk.GetFileIdString(), err) } - // Attach volume server JWT for authentication - jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, chunk.GetFileIdString()) - if strings.Contains(srcUrl, "?") { - srcUrl = srcUrl + "&jwt=" + url.QueryEscape(string(jwt)) - } else { - srcUrl = srcUrl + "?jwt=" + url.QueryEscape(string(jwt)) - } - // Create HTTP request with context for timeout control ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) defer cancel() @@ -2552,6 +2544,12 @@ func (s3a *S3ApiServer) createEncryptedChunkReader(chunk *filer_pb.FileChunk) (i return nil, fmt.Errorf("create HTTP request for chunk: %v", err) } + // Attach volume server JWT for authentication (matches filer behavior) + jwt := security.GenJwtForVolumeServer(s3a.filerGuard.ReadSigningKey, s3a.filerGuard.ReadExpiresAfterSec, chunk.GetFileIdString()) + if jwt != "" { + req.Header.Set("Authorization", "BEARER "+string(jwt)) + } + // Use HTTP client with reasonable timeouts httpClient := &http.Client{ Timeout: 5 * time.Minute,