Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
gcs-signed-urls
Advanced tools
gcs-signed-urls
Allow uploads directly from the browser to Google Cloud Storage while controlling access with Nodejs and signed urls.
Google Cloud Storage Signed URLs for Node.js
I created this NPM module so that I can create web apps that allow users to upload directly to Google Cloud Storage. Using Signed URLs I am able to control access with Node.js and a private key. Because there is not a Node.js SDK for Google Cloud Storage, the cryptographic signatures were coded using Node.js's crypto module to Google's specification. This integration alleviates much of the maintenance required in storing and handing file uploads in web apps while at the same time not complicating the uploading process by acting as a middleman between the user and Google Cloud Storage.
NOTE: you need to create a google service account.
Simple example: http://gcs-signed-urls.herokuapp.com/.
For more advanced examples with xhr uploads, see https://github.com/sfarthin/crop-rotate-and-sample-in-browser.
Setup
npm install gcs-signed-urls
Creating a Service Account
- Visit the Google Developer Console
- Click credentials
- Create new client ID
- Create a service account
Incorperate service account.
-
After you create a service account you should recieve a .p12 file. Convert the .p12 (key and certificate in one) to an ascii formatted .pem which can be read as text. Use this command:
openssl pkcs12 -in *.p12 -out google-services-private-key.pem -nodes -clcerts
-
The password is always "notasecret"
-
Your all set! Now you will be able to run the example app.
Reference
First create your CloudStorage instance with your gcs information.
var CloudStorage = require("gcs-signed-urls")("/path/to/google-services-private-key.pem", "*****@developer.gserviceaccount.com", "my_bucket_name")
You can also store gcs information in environment variables so you do not need to specify it in your application.
var CloudStorage = require("gcs-signed-urls")()
Set variables like this:
$ export GOOGLE_SERICES_EMAIL=*****@developer.gserviceaccount.com
$ export GCS_STORAGE_BUCKET=my-bucket
$ export GCS_PRIVATE_KEY=`cat path/to/google-services-private-key.pem`
uploadRequest(filename, key, isAttachment, customFields)
This method creates an object representing the fields of an HTML form.
filename - Filename given to the file uploaded. Mime type is determined given the extension.
key - The Google Cloud key.
isAttachment - This sets content disposition to be an attachment, causing the browser to download the file (with the given filename) rather than show the file inside the browser.
customFields - Set custom "x-goog-meta-" headers.
<form action="http://my_bucket.storage.googleapis.com" method="post" enctype="multipart/form-data">
<input type="text" name="key" value="<%=key%>">
<input type="hidden" name="bucket" value="my_bucket">
<input type="hidden" name="GoogleAccessId" value="*****@developer.gserviceaccount.com">
<input type="hidden" name="policy" value="<%=fields.policy%>">
<input type="hidden" name="signature" value="<%=fields.signature%>">
<input name="file" type="file">
<input type="submit" value="Upload">
</form>
upload(filename, key, isAttachment, customFields, callback)
Direct upload from Node.js using the same options as uploadRequest.
defaultAcl: function(acl, callback)
Takes an acl option and sets that as the default acl of an object. The options are: project-private private public-read public-read-write authenticated-read bucket-owner-read bucket-owner-full-control
See https://developers.google.com/storage/docs/accesscontrol#extension
cors: function(xml, callback)
Sets the xml cors policy
exisits: function(key, callback)
metaData: function(key, callback)
makePrivate: function(key, callback)
makePublic: function(key, callback)
getPublicUrl: function(key)
getPrivateUrl: function(key)
remove: function(key, callback)
Running tests or example
The tests and example require environoment variables to be set.
$ export GOOGLE_SERICES_EMAIL=*****@developer.gserviceaccount.com
$ export GCS_STORAGE_BUCKET=my-bucket
$ export GCS_PRIVATE_KEY=`cat google-services-private-key.pem`
To run test
npm test
To run example on port 3001
npm start
Deploying on Heroku
heroku create
heroku config:set GOOGLE_SERICES_EMAIL=***@developer.gserviceaccount.com
heroku config:set GCS_STORAGE_BUCKET=my bucket
heroku config:set GCS_PRIVATE_KEY=`cat google-services-private-key.pem`
git push heroku master
FAQs
Allow uploads directly from the browser to Google Cloud Storage while controlling access with Nodejs and signed urls.
We found that gcs-signed-urls demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 08 Feb 2018
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025