DEV Community

강해수
강해수

Posted on • Originally published at dailymanuallab.com

Your R2 presigned URL has a shorter TTL than you think — here's why

#cloudflare #serverless #webdev #tutorial

A 3600-second presigned URL expiring after 38 minutes isn't a permissions bug. It's a clock skew bug — and it took me an NTP issue on my dev laptop to finally see it clearly.

R2's presigned URL validation is S3-compatible, which means expiry is calculated from the X-Amz-Date value baked into the URL at signing time — not from wall-clock time at first use. If the Worker PoP that signs the URL has a clock 30 seconds ahead of the PoP that validates the request, you silently lose 30 seconds off the back end. That's survivable. The nastier version is a drifting client clock: I had a mobile client running 4 minutes fast, and a URL signed with a nominal 1-hour TTL was throwing SignatureDoesNotMatch errors with 5 minutes left on the clock. From the user's side it just looked like a 403 permissions failure — no indication it was a timing problem at all.

The fix I landed on is a signing buffer: tell the client the URL expires in nominalTtl, but actually sign it for nominalTtl + 300s. Five extra minutes absorbed every real-world drift case I've seen in production traffic:

const CLOCK_SKEW_BUFFER_SECONDS = 300;

export async function signGetUrlWithBuffer(
  env: Env,
  key: string,
  nominalTtlSeconds: number
): Promise<{ url: string; expiresAt: number }> {
  const signingTtl = nominalTtlSeconds + CLOCK_SKEW_BUFFER_SECONDS;
  const url = await signGetUrl(env, key, signingTtl);
  const expiresAt = Date.now() + nominalTtlSeconds * 1000;
  return { url, expiresAt };
}
Enter fullscreen mode Exit fullscreen mode

The client's expiresAt is honest. The signed TTL just has a quiet cushion on top. One other thing worth knowing: mobile browsers behind aggressive proxy layers — I specifically noticed this in Korean carrier traffic — will reject presigned URLs with TTLs under 60 seconds. R2 itself allows down to 1 second, but the proxy doesn't care. Floor your TTLs at 60s if you have any mobile users outside North America or Europe.

I wrote up the full breakdown — including the Date.now() freezing behavior inside V8 isolates during cold starts (which caused a 1-2% silent 403 rate during a high-traffic campaign flush) and how to wire --persist-to locally so you can actually verify cross-restart URL validity — over on dailymanuallab.com.

Full post →

Top comments (0)