403 when trying to use signed URLs

Developers Stream
#1

Hey, I have an issue with getting 403 when trying to use signed URLs.

This is my scenario:

  1. I’ve uploaded a file using an API link (pull video from our server).
  2. I’ve set “Require Signed URLs” on via the API on the initial call.

My issue:

  1. I’m trying to generate a link using the pem & id, and I’m getting a URL back.
  2. I’m only limiting the time (nbf, exp), I made sure nbf is 5 min back and exp is 1h ahead.
  3. When trying to access the video, I’m getting 403.
  4. If I uncheck “Require Signed URLs”, I can access with the same URL made on step 1.
  5. Checking the checkbox again makes the URL invalid again.
  6. Note: there is no domain restriction.

I’m not sure what I’m doing wrong, but signed URLs doesn’t want to work.

Please help.
Thanks

#2

I’m seeing even more issues…

I thought I could get away without setting “Require Signed URLs”, so I’ve tried signing a URL for 60 seconds, but after 10-15 minutes I see that the link is still active.

I can’t find what am I doing wrong, but it looks like something on the service side is just not playing along…

#3

Hey @ika_cf! There’s quite a bit of signed URL questions on this site. If you could post an example signed URL that doesn’t work, we can help investigate if there are any formatting issues and point you the correct direction.

1 Like
#4

Hi @renan ,

Thanks for looking into this!

I’ve searched for a similar issue but didn’t find :frowning_face:

I’ve signed a new URL, here is the response from CF:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjlhNDk2OGQ2YzM5N2MxNGIwZjA2OGViNDY5YjI5NzQ0In0.eyJzdWIiOiI1NDI5ZTgwYWI1MWE4ZGIyMmRjYjZhZTY5NWJiNTQ4YSIsImtpZCI6IjlhNDk2OGQ2YzM5N2MxNGIwZjA2OGViNDY5YjI5NzQ0IiwiZXhwIjoiMTYxNDU1NTAxNCIsIm5iZiI6IjE2MTQ0ODUwMTQifQ.i7QO79HxTdVVjpDFfkl4gQlvS6s0SwE1cijD5Na7qFpRmoWLdWoOd1kvk-O62AA-F1YJsOyRW4ohWN-cLQiiUXePMq79t0Xun3SEnF-vvibgH_QzNE_EWlYW44JF7zGHgkhOHAmXsDN98kXDW95sS00seMcSSYUxkkADRU2XbRtZUlLrifApgrcnrMboeKxVVbC0HWdxM84g47gkx6A6ma7XxeSpHWOKGEp1b8P63SjBalwB8kdBNh69mrBTIBv5AOaV7Th4RS91h6OqYp3hOxCUX-uUA8KDCHNPtRKxeOfskDM1XefgVAsIqSnZm6qfQP1D0uTROUEeSnss7zN__w

This should be available at
https://videodelivery.net/eyJhbGciOiJSUzI1NiIsImtpZCI6IjlhNDk2OGQ2YzM5N2MxNGIwZjA2OGViNDY5YjI5NzQ0In0.eyJzdWIiOiI1NDI5ZTgwYWI1MWE4ZGIyMmRjYjZhZTY5NWJiNTQ4YSIsImtpZCI6IjlhNDk2OGQ2YzM5N2MxNGIwZjA2OGViNDY5YjI5NzQ0IiwiZXhwIjoiMTYxNDY3MjAwMCIsIm5iZiI6IjE2MTQ0NzAwMDAifQ.tkLDPv7OY6oBN36O0hSgJ31ZKw0OUbWqTTf_QBb8zorjvOu2ME7pV8Tp5GZx2n0N5YyNis2kA8zK73jpV8fRHNNI5lNqRXG9m8k4Yv5X-sISZsNNlMkTyViyZX-6g6JuRkA5VM5UKRs80Uf15yoSLRaUjZd0u0AY-aNajlwK4aKE77Tt4C6nVqMDAgK-zMdQMeQGP4TpBzVJzFj0KV4myuHR038h_23mcmGPMtkk7r83h3Kl-7XkSx8gQMqeX6FgnGuBm_Vj8mLEVEmSOtSKchA7_yCBsFdCPWgTrBASwVABHNiR09dhkJN2_xbJHr_h3jfRSMK3_LDInT6l4kXF0g/manifest/video.mpd

You can see it’s a signed url, but it still gets 403 forbidden, I don’t know why.

IF I remove the checkmark from the “Require Signed URLs” in the streaming admin, the video becomes available in this URL.

I don’t understand why, if I come with a signed URL - it still doesn’t work.

Thank you!

#5

By the way, just in case it’ll help, here is the signature request:

curl -X POST “https://util.cloudflarestream.com/sign/5429e80ab51a8db22dcb6ae695bb548a” -d ‘{“id”: “<key_here>”, “pem”: “<pem_here>”, “nbf”:1614470000,“exp”:1614672000}’

#6

Quick reply! I’d check that you’re using the key you got from Cloudflare and if the owner of the key you’re signing with also owns the video. Easy to mix up the keys! :slight_smile:

#7

Hey @renan ,

Thanks for the input!

I’m not the account owner (he added me as a member, yet I’m an admin), and I was the one that uploaded the videos with my key, so I should be able to sign as well, I trust.

Nevertheless, I will check your theory and update on the result.

Thanks!

#8

Signing keys are owned by accounts (just like videos). So using a signing key made on your own personal account with videos that are owned by some other account will result in a 403.

You can create a new signing key that will work by making a POST request to https://api.cloudflare.com/client/v4/accounts/$account_id_that_owns_the_videos_you_are_signing>/stream/keys

1 Like
#9

Hey @renan,

Thank you! It seems to have fixed the issue.

Please take into consideration, I don’t think that this information was posted anywhere, and it’s very misleading (it actually makes no sense).

Take a look at the scenario:

Key A - My CF key
Key B - Customer’s CF key

  1. My customer added me to his CF account as an admin.
  2. I have used MY key (Key A) to upload the videos through the API - No problem!
  3. I generate links using MY key (Key A) to a video without “require signed url” - No problem!

Problem:
4. I generate links using MY key (Key A) to a video WITH “require signed url” - doesn’t work, and no specific error on the response from CF

No problem:
5. I generate links using my CUSTOMER’s key (Key B) to a video WITH “require signed url” - Works!

Now, I hope you see where the issue is - I can do everything with my key except generating urls for videos with “require signed url”.

Note - the videos were uploaded with KEY A, but can only be viewed securely by KEY B.

From my perspective it’s a bug, as I would expect not to be able to generate links at all, and even not upload the videos… but when one function out of everything doesn’t work, without any specific error, and I can’t even find any explanation for this in the documentation - it’s a bug.

I hope CF will take this into consideration, as this cost us a lot of debugging time, and definitely me in frustration and stress-choclate-eating :slight_smile:

In other words - thank you so much for your insights, and I really hope this would be more clear on the documentation (or fixed if you consider it as a bug like I do), so other customers wouldn’t need to find this as well.

Cheers!

#10

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.