d7fc940237
The blob storage credentials stored in github_repository table only have access to the repository's blob storage, so we need more powerful credentials to manage buckets. We supply these administrator credentials, which can create and delete buckets, through a Config value. We then use these credentials to initialize the admin client. Cloudflare R2 markets itself as S3-compatible, but it doesn't support all S3 operations. Its authentication service is distinct from the storage service. Since it doesn't have ACL endpoints, we can't use the S3 client to create users and access keys. Instead, we must use the Cloudflare API for these operations. When we receive the first cache request for a repository, we create a new bucket and an access token for it if it doesn't already have one. We store this access token in an encrypted database column, which we then use for generating presigned URLs for the specific bucket. Alternatively, we could create a bucket at the time of repository creation. However, since not all repositories will use the cache feature, I prefer to only create a bucket when the repository actually needs it.
619 B
619 B