From b4e2cca20488198370bc25432726e7f510d37da8 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Tue, 9 Dec 2025 10:24:35 -0800 Subject: [PATCH] s3api: remove redundant auth verification in getRequestDataReader (#7685) * s3api: remove redundant auth verification in getRequestDataReader The handlers PutObjectHandler and PutObjectPartHandler are already wrapped with s3a.iam.Auth() middleware which performs signature verification via authRequest() before the handler is invoked. The signature verification for authTypeSignedV2, authTypePresignedV2, authTypePresigned, and authTypeSigned in getRequestDataReader was therefore redundant. The newChunkedReader() call for streaming auth types is kept as it's needed to parse the chunked transfer encoding and extract the actual data. Fixes #7683 * simplify switch to if statement for single condition --- weed/s3api/s3api_put_object_helper.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/weed/s3api/s3api_put_object_helper.go b/weed/s3api/s3api_put_object_helper.go index 626e1c22d..d020772e9 100644 --- a/weed/s3api/s3api_put_object_helper.go +++ b/weed/s3api/s3api_put_object_helper.go @@ -17,13 +17,8 @@ func getRequestDataReader(s3a *S3ApiServer, r *http.Request) (io.ReadCloser, s3e dataReader := r.Body rAuthType := getRequestAuthType(r) if s3a.iam.isEnabled() { - switch rAuthType { - case authTypeStreamingSigned, authTypeStreamingUnsigned: + if rAuthType == authTypeStreamingSigned || rAuthType == authTypeStreamingUnsigned { dataReader, s3ErrCode = s3a.iam.newChunkedReader(r) - case authTypeSignedV2, authTypePresignedV2: - _, s3ErrCode = s3a.iam.isReqAuthenticatedV2(r) - case authTypePresigned, authTypeSigned: - _, s3ErrCode = s3a.iam.reqSignatureV4Verify(r) } } else { switch rAuthType {