feat: add signature to ZIP tarball URL stored in KV store

Author: danpoletaev

package.json

@@ -66,7 +66,7 @@
         "@apify/actor-templates": "^0.1.5",
         "@apify/consts": "^2.36.0",
         "@apify/input_schema": "^3.17.0",
-        "@apify/utilities": "^2.15.1",
+        "@apify/utilities": "^2.18.0",
         "@crawlee/memory-storage": "^3.12.0",
         "@inquirer/core": "^10.1.15",
         "@inquirer/input": "^4.2.1",
@@ -79,7 +79,7 @@
         "@skyra/jaro-winkler": "^1.1.1",
         "adm-zip": "~0.5.15",
         "ajv": "~8.17.1",
-        "apify-client": "^2.12.6",
+        "apify-client": "^2.13.0",
         "archiver": "~7.0.1",
         "axios": "^1.11.0",
         "chalk": "~5.5.0",

src/commands/actors/push.ts

@@ -8,6 +8,7 @@ import open from 'open';
 
 import { fetchManifest } from '@apify/actor-templates';
 import { ACTOR_JOB_STATUSES, ACTOR_SOURCE_TYPES, MAX_MULTIFILE_BYTES } from '@apify/consts';
+import { createHmacSignature } from '@apify/utilities';
 
 import { ApifyCommand } from '../../lib/command-framework/apify-command.js';
 import { Args } from '../../lib/command-framework/args.js';
@@ -258,7 +259,24 @@ Skipping push. Use --force to override.`,
 				contentType: 'application/zip',
 			});
 			unlinkSync(TEMP_ZIP_FILE_NAME);
-			tarballUrl = `${apifyClient.baseUrl}/key-value-stores/${store.id}/records/${key}?disableRedirect=true`;
+			const tempTarballUrl = new URL(
+				`${apifyClient.baseUrl}/key-value-stores/${store.id}/records/${key}?disableRedirect=true`,
+			);
+
+			/**
+			 * Signs the tarball URL to grant temporary access for restricted resources.
+			 * When a store is set to 'RESTRICTED', direct URLs are disabled. Instead of
+			 * appending a security token, we add a signature to the URL parameters.
+			 * https://github.com/apify/apify-core/issues/22197
+			 *
+			 * TODO: Use keyValueStore(:storeId).getRecordPublicUrl from apify-client instead once it is released.
+			 */
+			if (store?.urlSigningSecretKey) {
+				const signature = createHmacSignature(store.urlSigningSecretKey, key);
+				tempTarballUrl.searchParams.set('signature', signature);
+			}
+
+			tarballUrl = tempTarballUrl.toString();
 			sourceType = ACTOR_SOURCE_TYPES.TARBALL;
 		}
 

test/api/commands/push.test.ts

@@ -4,6 +4,7 @@ import { mkdir, writeFile } from 'node:fs/promises';
 import type { ActorCollectionCreateOptions } from 'apify-client';
 
 import { ACTOR_SOURCE_TYPES, SOURCE_FILE_FORMATS } from '@apify/consts';
+import { createHmacSignature } from '@apify/utilities';
 
 import { testRunCommand } from '../../../src/lib/command-framework/apify-command.js';
 import { LOCAL_CONFIG_PATH } from '../../../src/lib/consts.js';
@@ -236,6 +237,10 @@ describe('[api] apify push', () => {
 			testActor = (await testActorClient.get())!;
 			const testActorVersion = await testActorClient.version(actorJson.version).get();
 			const store = await testUserClient.keyValueStores().getOrCreate(`actor-${testActor.id}-source`);
+
+			expect(store.urlSigningSecretKey).toBeDefined();
+			const signature = createHmacSignature(store.urlSigningSecretKey!, `version-${actorJson.version}.zip`);
+
 			await testUserClient.keyValueStore(store.id).delete(); // We just needed the store ID, we can clean up now
 
 			if (testActor) await testActorClient.delete();
@@ -245,7 +250,7 @@ describe('[api] apify push', () => {
 				buildTag: 'latest',
 				tarballUrl:
 					`${testActorClient.baseUrl}/key-value-stores/${store.id}` +
-					`/records/version-${actorJson.version}.zip?disableRedirect=true`,
+					`/records/version-${actorJson.version}.zip?disableRedirect=true&signature=${signature}`,
 				envVars: testActorWithEnvVars.versions[0].envVars,
 				sourceType: ACTOR_SOURCE_TYPES.TARBALL,
 			});

yarn.lock

@@ -117,7 +117,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@apify/utilities@npm:^2.13.0, @apify/utilities@npm:^2.15.1, @apify/utilities@npm:^2.17.0, @apify/utilities@npm:^2.7.10":
+"@apify/utilities@npm:^2.13.0, @apify/utilities@npm:^2.17.0, @apify/utilities@npm:^2.7.10":
   version: 2.17.0
   resolution: "@apify/utilities@npm:2.17.0"
   dependencies:
@@ -127,6 +127,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@apify/utilities@npm:^2.18.0":
+  version: 2.18.0
+  resolution: "@apify/utilities@npm:2.18.0"
+  dependencies:
+    "@apify/consts": "npm:^2.43.0"
+    "@apify/log": "npm:^2.5.20"
+  checksum: 10c0/1b65891901c6bf6725d00b4c7e00104e2b7e3ecf02ebc86bf816459308028cbd3e8415ffea7ccf562a719f53c15a8118d1d534511e9b940f767d46a1abf2c792
+  languageName: node
+  linkType: hard
+
 "@arcanis/slice-ansi@npm:^1.1.1":
   version: 1.1.1
   resolution: "@arcanis/slice-ansi@npm:1.1.1"
@@ -2244,7 +2254,7 @@ __metadata:
     "@apify/eslint-config": "npm:^1.0.0"
     "@apify/input_schema": "npm:^3.17.0"
     "@apify/tsconfig": "npm:^0.1.1"
-    "@apify/utilities": "npm:^2.15.1"
+    "@apify/utilities": "npm:^2.18.0"
     "@biomejs/biome": "npm:^2.0.0"
     "@crawlee/memory-storage": "npm:^3.12.0"
     "@crawlee/types": "npm:^3.11.1"
@@ -2278,7 +2288,7 @@ __metadata:
     adm-zip: "npm:~0.5.15"
     ajv: "npm:~8.17.1"
     apify: "npm:^3.2.4"
-    apify-client: "npm:^2.12.6"
+    apify-client: "npm:^2.13.0"
     archiver: "npm:~7.0.1"
     axios: "npm:^1.11.0"
     chai: "npm:^4.4.1"
@@ -2330,7 +2340,7 @@ __metadata:
   languageName: unknown
   linkType: soft
 
-"apify-client@npm:^2.12.1, apify-client@npm:^2.12.6":
+"apify-client@npm:^2.12.1":
   version: 2.12.6
   resolution: "apify-client@npm:2.12.6"
   dependencies:
@@ -2348,6 +2358,25 @@ __metadata:
   languageName: node
   linkType: hard
 
+"apify-client@npm:^2.13.0":
+  version: 2.13.0
+  resolution: "apify-client@npm:2.13.0"
+  dependencies:
+    "@apify/consts": "npm:^2.25.0"
+    "@apify/log": "npm:^2.2.6"
+    "@apify/utilities": "npm:^2.18.0"
+    "@crawlee/types": "npm:^3.3.0"
+    agentkeepalive: "npm:^4.2.1"
+    async-retry: "npm:^1.3.3"
+    axios: "npm:^1.6.7"
+    content-type: "npm:^1.0.5"
+    ow: "npm:^0.28.2"
+    tslib: "npm:^2.5.0"
+    type-fest: "npm:^4.0.0"
+  checksum: 10c0/0596ba6aa4a534fc514e4d32b5ed232f1be7fd49cd3759380332edd136f5697add34a9e2ff3f8e98088f9945faf64ea5a7ebe53eb3d7b3886333ab3eddddfa32
+  languageName: node
+  linkType: hard
+
 "apify@npm:^3.2.4":
   version: 3.4.4
   resolution: "apify@npm:3.4.4"