@vercel/[email protected]

Major Changes

• 0b8ead9: BREAKING CHANGE:

  To continue receiving onUploadCompleted callback once a file is uploaded with Client Uploads when not hosted on Vercel, you need to provide the callbackUrl at the onBeforeGenerateToken step when using handleUpload.

  When hosted on Vercel:
  No code changes required. The callbackUrl is inferred from Vercel system environment variables:

  • In preview environment: VERCEL_BRANCH_URL when available, otherwise VERCEL_URL
  • In production environment: VERCEL_PROJECT_PRODUCTION_URL

  If you're not hosted on Vercel or you're not using Vercel system environment variables, your will need to provide the callbackUrl:

  Before:

  await handleUpload({
    body,
    request,
    onBeforeGenerateToken: async (pathname) => {
      /* options */
    },
    onUploadCompleted: async ({ blob, tokenPayload }) => {
      /* code */
    },
  });

  After:

  await handleUpload({
    body,
    request,
    onBeforeGenerateToken: async (pathname) => {
      return { callbackUrl: 'https://example.com' }; // the path to call will be automatically computed
    },
    onUploadCompleted: async ({ blob, tokenPayload }) => {
      /* code */
    },
  });

  For local development:
  Set the VERCEL_BLOB_CALLBACK_URL environment variable to your tunnel URL:

  VERCEL_BLOB_CALLBACK_URL=https://abc123.ngrok-free.app

  See the updated documentation at https://vercel.com/docs/vercel-blob/client-upload to know more.

  Details:

  Before this commit, during Client Uploads, we would infer the callbackUrl at the client side level (browser) based on location.href (for convenience).
  This is wrong and allows browsers to redirect the onUploadCompleted callback to a different website.

  While not a security risk, because the blob urls are already public and the browser knows them, it still pose a risk of database drift if you're relying on onUploadCompleted callback to update any system on your side.