Our download is hosted on Google Cloud Storage. For a while now, we've been creating a signed url on demand (as the user clicks the download button), and then redirecting the user to that URL.
This code has been in production for months, but recently we noticed that there's a race condition: sometimes the URL isn't ready yet. Until it is, attempting to access the signed URL results in a 403: Forbidden.
We attempted to mitigate for this by polling for whether the URL was ready by sending a HEAD request, looking for a 200 response. This seemed to by a good solution, until we realized that occasionally a third state existed: The URL was created, but not quite ready. Our HEAD received a 200 Success response with the following XML document:
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature
you provided. Check your Google secret key and signing method.
</Message>
<StringToSign>
GET 1469137341 /our-bucket-name/path/to/file.exe?
response-content-disposition%3dattachment%3b+filename%3dfile.exe
</StringToSign>
</Error>
The URL would then become available after a few seconds. The docs on creating signed URLS don't discuss the possibility that it's not immediately ready.
My question: How are you supposed to determine when a newly-created signed URL is ready for use?
EDIT
We've actually been using the URL generation code (and it's been working fine) for months now. It's only in the last two weeks that we've noticed our fallback mechanism being used (aka the URL isn't ready). It's almost like Google changed code in the last month which introduced latency into when the URL is ready. Up until now, the race condition wasn't even evident.
