[@vercel/blob] Apply ifMatch/allowOverwrite validation to handleUpload and generateClientToken (#1027)

* [@vercel/blob] Apply ifMatch/allowOverwrite validation to handleUpload and generateClientToken

The same contradiction (ifMatch + allowOverwrite: false) can happen via
handleUpload's onBeforeGenerateToken callback or direct
generateClientTokenFromReadWriteToken calls. Add validation there too.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* [@vercel/blob] Fix biome formatting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vvo

.changeset/ifmatch-handle-upload.md

@@ -0,0 +1,5 @@
+---
+'@vercel/blob': patch
+---
+
+Apply `ifMatch`/`allowOverwrite` validation to `handleUpload` and `generateClientTokenFromReadWriteToken`. When `ifMatch` is set via `onBeforeGenerateToken` or direct token generation, `allowOverwrite` is now implicitly enabled. Explicitly passing `allowOverwrite: false` with `ifMatch` throws a clear error.

packages/blob/src/client.node.test.ts

@@ -39,6 +39,34 @@ describe('client uploads', () => {
       });
     });
 
+    it('throws when ifMatch is used with allowOverwrite: false', async () => {
+      await expect(
+        generateClientTokenFromReadWriteToken({
+          pathname: 'foo.txt',
+          token:
+            'vercel_blob_rw_12345fakeStoreId_30FakeRandomCharacters12345678',
+          ifMatch: '"abc123"',
+          allowOverwrite: false,
+        }),
+      ).rejects.toThrow(
+        'ifMatch and allowOverwrite: false are contradictory. ifMatch is used for conditional overwrites, which requires allowOverwrite to be true.',
+      );
+    });
+
+    it('implicitly sets allowOverwrite when ifMatch is provided', async () => {
+      const uploadToken = await generateClientTokenFromReadWriteToken({
+        pathname: 'foo.txt',
+        token: 'vercel_blob_rw_12345fakeStoreId_30FakeRandomCharacters12345678',
+        ifMatch: '"abc123"',
+      });
+
+      expect(getPayloadFromClientToken(uploadToken)).toMatchObject({
+        pathname: 'foo.txt',
+        ifMatch: '"abc123"',
+        allowOverwrite: true,
+      });
+    });
+
     it('accepts a tokenPayload property', async () => {
       const uploadToken = await generateClientTokenFromReadWriteToken({
         pathname: 'foo.txt',

packages/blob/src/client.ts

@@ -755,6 +755,24 @@ export async function generateClientTokenFromReadWriteToken({
     );
   }
 
+  // ifMatch implies allowOverwrite — updating a blob by ETag inherently requires
+  // overwriting. Throw if the user explicitly contradicts this.
+  if (argsWithoutToken.ifMatch && argsWithoutToken.allowOverwrite === false) {
+    throw new BlobError(
+      'ifMatch and allowOverwrite: false are contradictory. ifMatch is used for conditional overwrites, which requires allowOverwrite to be true.',
+    );
+  }
+
+  // Implicitly enable allowOverwrite when ifMatch is set and allowOverwrite
+  // was not explicitly provided, to prevent the server from sending
+  // conflicting If-Match + If-None-Match headers to S3.
+  if (
+    argsWithoutToken.ifMatch &&
+    argsWithoutToken.allowOverwrite === undefined
+  ) {
+    argsWithoutToken.allowOverwrite = true;
+  }
+
   const timestamp = new Date();
   timestamp.setSeconds(timestamp.getSeconds() + 30);
   const readWriteToken = getTokenFromOptionsOrEnv({ token });