How to determine if session token of cached client is expired?

[PhilipDeFraties]

Is there a way to determine if a cached client has an expired session token?

We utilize the 'wt_s3_signer' gem to quickly generate presigned s3 urls, however there is an intermittent issue in which a signer object is created and cached with a security token that is nearly expired, resulting in broken urls. Is there an efficient way to check to see how much longer the token is valid for?

def signer
    Rails.cache.fetch('s3_signer', expires_in: 45.minutes) do
      s3_bucket = Aws::S3::Bucket.new(ENV['S3_BUCKET_NAME'])
      WT::S3Signer.for_s3_bucket(s3_bucket, expires_in: 2700)
    end
end

[mullermp]

I'm not certain about how the wt_s3_signer gem works. If using the Aws::S3::Presigner class, credentials are automatically refreshed if close to expiring, and the URL is constructed with an expires time that satisfies the credential's expiration time. May I ask why you're using a different gem to do this functionality and is the speed penalty that big?

[PhilipDeFraties]

@mullermp thanks for the response!

It was decided to use this gem to speed up image delivery for one of our pages that uses presigned urls to render 100+ images because, I believe, they determined the gem was faster for this purpose. I think there may have been some confusion about how to implement it though because from the (skimpy) docs it says:

s3_bucket = Aws::S3::Bucket.new('shiny-bucket-name')
ttl_seconds = 7 * 24 * 60 * 60

# we suggest caching the S3 client in the application to reuse the cached credentials
s3_client = Aws::S3::Client.new
signer = WT::S3Signer.for_s3_bucket(s3_bucket, client: s3_client, expires_in: ttl_seconds)
url_str = signer.presigned_get_url(object_key: full_s3_key)
      #=> https://shiny-bucket-name.s3.eu-west-1.amazonaws.com/dir/testobject?X-Amz-Algorithm...

If we were to cache the client as indicated in the commented line, would it automatically refresh upon encountering an expired session token? This may be getting more into the the inner workings of the wt_s3_signer gem but I believe it is using a method that might actually do this: https://github.com/WeTransfer/wt_s3_signer/blob/de40bb5d6a297c48c548c6a62c4f5703e87e2746/lib/wt_s3_signer.rb#L53

[mullermp]

Yep, it seems like it should. If using the SDKs presigner, we could guarantee it however. One thing to note is that this 3p presigner does not handle custom s3 functionality like bucket redirection, access point buckets, etc.