Credentials Configuration
Client-side
Google Drive
- Create a Google Cloud Project
- Enable Google Drive API:
- Navigation Menu > APIs & Services > Library > Search
Google Drive API
- Navigation Menu > APIs & Services > Library > Search
- Create OAuth 2.0 Client ID:
- APIs & Services > Credentials > Create Credentials > OAuth client ID
- Application Type:
Web application - Add authorized JavaScript origins matching your domain
- Get API Key:
- Credentials > Create Credentials > API Key
OneDrive
- Register Application in Azure Portal:
- App Registrations > New Registration
- Supported account types:
Accounts in any organizational directory
- Add Redirect URI:
- Authentication > Add Platform > Web
https://your-domain.com/onedrive-callback
- Add API Permissions:
- Files.ReadWrite, User.Read (delegated)
Server-side Configurations
AWS S3
Attaching Permissions Policy below is only required when enableAutoCorsConfig is set to true, so we can automatically configure CORS for your origin on the bucket for you.
If enableAutoCorsConfig is set to false, you will need to configure CORS for your origin on your bucket by yourself. Check these docs for more info.
- Create IAM User:
- AWS Console > IAM > Users > Add user
- Programmatic access type
- Attach Permissions Policy:
AmazonS3FullAccess
Azure Blob Storage
- Create Storage Account:
- Azure Portal > Storage Accounts > Create
- Account kind: StorageV2
- Replication: LRS
- Get Connection String:
- Security + networking > Access keys
- Assign RBAC Role:
- Access Control (IAM) > Add role assignment
- Storage Blob Data Contributor
- Configure CORS via Azure CLI:
az storage cors add --services b \
--origins https://your-domain.com \
--methods PUT \
--allowed-headers \
--max-age 3600
Azure Storage CORS Documentation
Backblaze B2
Allowing access to all buckets below is only required when enableAutoCorsConfig is set to true, so we can automatically configure CORS for your origin on the bucket for you.
If enableAutoCorsConfig is set to false, you will need to configure CORS for your origin on your bucket by yourself. Check these docs for more info.
- Create Application Key:
- B2 Cloud Storage > Application Keys
- Allow access to: All buckets
- Copy
keyIDandapplicationKey
- Region Format:
- Example:
eu-central-003
- Example:
- Endpoint Format:
https://s3.<region>.backblazeb2.com- Example:
https://s3.eu-central-003.backblazeb2.com
Special Configuration:
s3GeneratePresignedUrl({
...,
s3ClientConfig: {
...,
endpoint: process.env.BACKBLAZE_S3_ENDPOINT, // required for other S3 providers asides AWS
forcePathStyle: false, // required for other S3 providers asides AWS
},
});
Digital Ocean Spaces
When enableAutoCorsConfig is set to true, we can automatically configure CORS for your origin on the bucket for you.
If enableAutoCorsConfig is set to false, you will need to configure CORS for your origin on your bucket by yourself. Check these docs for more info.
- Create Space:
- DO Control Panel > Spaces > Create
- Choose region (e.g., nyc3)
- Generate Access Keys:
- Settings > Spaces Access Keys
- Region Format:
- Example:
nyc3
- Example:
- Endpoint Format:
https://<region>.digitaloceanspaces.com- Example:
https://nyc3.digitaloceanspaces.com
Special Configuration:
s3GeneratePresignedUrl({
...,
s3ClientConfig: {
...,
endpoint: process.env.BACKBLAZE_S3_ENDPOINT, // required for other S3 providers asides AWS
forcePathStyle: false, // required for other S3 providers asides AWS
},
});
Security Best Practices
-
When using
enableAutoCorsConfig:- Restrict credentials to only required CORS permissions
- Preferably, use separate credentials for CORS configuration and upload operations
- Monitor CORS configuration changes
-
For manual CORS configuration:
- Follow provider-specific CORS guidelines
- Regularly audit bucket CORS rules
-
General practices:
- Always restrict CORS origins
- Use IAM roles instead of root credentials where possible
- Rotate API keys frequently(quarterly)
Never commit credentials to version control. Use environment variables and secret management systems.