From d6f60b3f64990a73c69884bafabf5d21a929b654 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Fri, 2 Jan 2026 19:01:20 -0800
Subject: [PATCH] Support STS session token in query parameters for presigned
 URLs

---
 weed/s3api/auth_signature_v4.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go
index bb5036ad0..4e7c05180 100644
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -208,7 +208,11 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh
 	var cred *Credential
 
 	// 2. Check for STS session token
-	if sessionToken := r.Header.Get("X-Amz-Security-Token"); sessionToken != "" {
+	sessionToken := r.Header.Get("X-Amz-Security-Token")
+	if sessionToken == "" {
+		sessionToken = r.URL.Query().Get("X-Amz-Security-Token")
+	}
+	if sessionToken != "" {
 		// Validate STS session token
 		identity, cred, errCode = iam.validateSTSSessionToken(r, sessionToken, authInfo.AccessKey)
 		if errCode != s3err.ErrNone {