getPresignedUrl not working in local anymore.

[riderx]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When I used the S3 SDK to create a presigned URL for upload, upload failed while using it because of a problem with headers. I don't know how to debug it. It was working properly before and since the latest release of Storage, it doesn't. So it breaks all my local tests.

To Reproduce

try to run that code it will do the same issue in local Supabase setup with the latest storage release.

import { S3Client } from '@bradenmacdonald/s3-lite-client'

async function main() {
  const client = new S3Client({
    endPoint: process.env.S3_ENDPOINT ?? 'http://127.0.0.1:54321/storage/v1/s3',
    accessKey: process.env.S3_ACCESS_KEY_ID ?? 'supabase',
    secretKey: process.env.S3_SECRET_ACCESS_KEY ?? 'supabase',
    region: process.env.S3_REGION ?? 'local',
    bucket: process.env.S3_BUCKET ?? 'capgo',
    pathStyle: true,
  })

  const objectKey = process.env.S3_OBJECT_KEY ?? 'orgs/demo-app/example.txt'

  const url = await client.getPresignedUrl('PUT', objectKey, {
    expirySeconds: 60,
    parameters: {
      'X-Amz-Content-Sha256': 'UNSIGNED-PAYLOAD',
      'x-id': 'PutObject',
    },
  })

  console.log('Presigned PUT URL:', url)

  const response = await fetch(url, {
    method: 'PUT',
    headers: {
      'Content-Type': 'text/plain',
    },
    body: 'local presign repro',
  })

  console.log('Local storage response:', response.status)
  console.log('Response body:', await response.text())
}

main().catch((error) => {
  console.error(error)
  process.exit(1)
})

Expected behavior

This was working before UNSIGNED-PAYLOAD was a hack to make it works, now it doesn't i would love to have safe way to be able to run my test without hack ^^

System information

CLI v2.45.5
Storage fix-prefix-race-conditions-optimized
pg: 17.6.1.005
rest v13.0.5

Additional context

Storage container logs:

{"level":40,"time":"2025-09-25T03:19:59.252Z","pid":1,"hostname":"3b411f2d1806","region":"not-specified","reqId":"req-7","tenantId":"stub","project":"stub","reqId":"req-7","appVersion":"1.27.4","type":"request","req":{"region":"not-specified","traceId":"req-7","method":"PUT","url":"/s3/capgo/orgs/046a36ac-e03c-4590-9257-bd6c9dba9ee8/apps/com.cli_s3_eb0a2869-90fb-43bd-90a2-290a73651923/1.0.42.zip?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&x-id=PutObject&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=redacted&X-Amz-Date=20250925T031959Z&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=redacted","headers":{"host":"supabase_storage_capgo-app:5000","x_forwarded_proto":"http","x_forwarded_host":"localhost","x_forwarded_port":"54321","x_forwarded_prefix":"/storage/v1/","x_real_ip":"142.250.185.10","content_length":"11","content_type":"text/plain","accept":"*/*","user_agent":"undici"},"hostname":"supabase_storage_capgo-app:5000","remoteAddress":"172.18.0.5","remotePort":45652},"res":{"statusCode":400,"headers":{"content_type":"application/xml; charset=utf-8","content_length":"280"}},"responseTime":6.179041996598244,"error":{"raw":"{\"metadata\":{},\"code\":\"InvalidSignature\",\"httpStatusCode\":400,\"userStatusCode\":400}","name":"Error","message":"Unsupported authorization type","stack":"Error: Unsupported authorization type\n    at Object.InvalidSignature (/app/dist/internal/errors/codes.js:176:37)\n    at SignatureV4.parseAuthorizationHeader (/app/dist/storage/protocols/s3/signature-v4.js:71:34)\n    at extractSignature (/app/dist/http/plugins/signature-v4.js:123:34)\n    at Object.<anonymous> (/app/dist/http/plugins/signature-v4.js:57:37)\n    at hookIterator (/app/node_modules/fastify/lib/hooks.js:405:10)\n    at next (/app/node_modules/fastify/lib/hooks.js:239:18)\n    at handleResolve (/app/node_modules/fastify/lib/hooks.js:250:7)","statusCode":400},"resources":["/capgo/orgs/046a36ac-e03c-4590-9257-bd6c9dba9ee8/apps/com.cli_s3_eb0a2869-90fb-43bd-90a2-290a73651923/1.0.42.zip"],"msg":"stub | PUT | 400 | 172.18.0.5 | req-7 | /s3/capgo/orgs/046a36ac-e03c-4590-9257-bd6c9dba9ee8/apps/com.cli_s3_eb0a2869-90fb-43bd-90a2-290a73651923/1.0.42.zip?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&x-id=PutObject&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=redacted&X-Amz-Date=20250925T031959Z&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=redacted | undici"}

[riderx]

here are the test where this start failing https://github.com/Cap-go/capgo/actions/runs/17979805447/job/51142531945

[riderx]

linked to #637

[riderx]

I tried also with official Lib and this doesn't work either, this lib was working since march properly

[riderx]

The only way to have upload link creation working locally in edge function and then send it to the front is a magic solution with AI, but that's ugly and seems to break at any time.

async function getUploadUrl(c: Context, fileId: string, expirySeconds = 1200) {
  const bucket = getEnv(c, 'S3_BUCKET')
  const serviceKey = getEnv(c, 'SUPABASE_SERVICE_ROLE_KEY') || getEnv(c, 'SERVICE_ROLE_KEY') || getEnv(c, 'SERVICE_KEY')
  const rawEndpoint = getEnv(c, 'S3_ENDPOINT')
  const useSSL = getEnv(c, 'S3_SSL') === 'true'

  if (!bucket || !serviceKey || !rawEndpoint) {
    cloudlog({ requestId: c.get('requestId'), message: 'getUploadUrl_missing_config', bucket, rawEndpoint, hasServiceKey: Boolean(serviceKey) })
    return null
  }

  const endpoint = rawEndpoint.startsWith('http://') || rawEndpoint.startsWith('https://')
    ? rawEndpoint
    : `${useSSL ? 'https://' : 'http://'}${rawEndpoint}`

  let apiBase: URL
  try {
    apiBase = new URL(endpoint)
  }
  catch (error) {
    cloudlog({ requestId: c.get('requestId'), message: 'getUploadUrl_invalid_endpoint', rawEndpoint, error })
    return null
  }

  if (apiBase.pathname.endsWith('/s3')) {
    apiBase.pathname = apiBase.pathname.slice(0, -3)
  }

  const requestBase = new URL(apiBase.toString())
  if (requestBase.hostname === '127.0.0.1' || requestBase.hostname === 'localhost') {
    requestBase.hostname = 'supabase_kong_capgo-app'
    requestBase.port = '8000'
  }

  const encodedKey = fileId.split('/').map((segment) => encodeURIComponent(segment)).join('/')
  const requestUrl = new URL(requestBase.toString())
  const basePath = requestUrl.pathname.replace(/\/+$/, '')
  requestUrl.pathname = `${basePath}/object/upload/sign/${bucket}/${encodedKey}`.replace(/\/\/{2,}/g, '/')
  requestUrl.searchParams.set('expiresIn', `${expirySeconds}`)

  const response = await fetch(requestUrl, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      apikey: serviceKey,
      Authorization: `Bearer ${serviceKey}`,
      'x-upsert': 'true',
    },
    body: '{}',
  })

  if (!response.ok) {
    const errorBody = await response.text()
    cloudlog({ requestId: c.get('requestId'), message: 'getUploadUrl_failed', status: response.status, errorBody })
    return null
  }

  const result = await response.json() as { url?: string }
  if (!result?.url) {
    cloudlog({ requestId: c.get('requestId'), message: 'getUploadUrl_no_url', result })
    return null
  }

  if (/^https?:\/\//i.test(result.url)) {
    return result.url
  }

  const normalizedBasePath = (basePath || '/storage/v1').replace(/\/+$/g, '')
  const relativePath = result.url.startsWith('/') ? result.url : `/${result.url}`
  const normalizedPath = relativePath.startsWith(normalizedBasePath)
    ? relativePath
    : `${normalizedBasePath}${relativePath}`
  return `${apiBase.protocol}//${apiBase.host}${normalizedPath}`
}

[fenos]

Please update to the latest version of the Supabase cli it, it should work as expected

[riderx]

@fenos what do you by latest ? 2.45.5 is latest others are pre release what version has the fix

[riderx]

Ok, I confirm CLI 2.47.1 does fix it. Please release. It to all :)

[riderx]

released it's now resolved