Blob access control

[sakarisson]

Hey Vercel team, happy new year!

I'm starting on a new project, and I have a need to upload pictures to storage. When going over the blob documentation, I realized that all blobs are publicly accessible.

The options param has a required access field, which can only be set to public. Is there a plan to extend this to have a private alternative?

[vvo]

Hey @sakarisson, yes! We do have plans to have private blobs.

Here's the RFC we're sharing with interested customers, please give us feedback on it based on your usecase as "private" means different patterns for customers, thanks!

Private_Blobs_RFC_for_customer_feedback.pdf

[NotNoshy]

I like the Edge Middleware Authorization. It seems convenient for most use cases. Plus it works on Edge functions which is nice. For accessing Blobs on the server it seems a little less convenient but still reasonable (the proposed solution seems pretty easy to wrap in a function).

I don't love Temporary URLs because it feels like it could have edge cases or be misconfigured. It probably isn't a big deal - but the timeout is something everyone will have to think about before using it. I can think of cases where it would be the most useful (temporary downloads).

For my use case I do need to access blobs from the client and rarely from the server (which probably isn't that common, but I do it).