- Front controller and UI in [public/index.php](/Users/tyemeclifford/Documents/GH/CloudflareR2-Manager/public/index.php) and [views/dashboard.php](/Users/tyemeclifford/Documents/GH/CloudflareR2-Manager/views/dashboard.php)

R2 S3 Signature V4 client in 
[src/R2/R2Client.php](/Users/tyemeclifford/Documents/GH/CloudflareR2-Manager/src/R2/R2Client.php)
SQLite mirror, usage ledger, settings, local tags, permission labels, 
and signed URL history under 
[src/Repository](/Users/tyemeclifford/Documents/GH/CloudflareR2-Manager/src/Repository)
Simple password auth and CSRF protection
Uploads, folders, sync, copy/move/delete, downloads, presigned URLs, 
CORS JSON management, and usage/billing-style summaries
Setup docs in 
[README.md](/Users/tyemeclifford/Documents/GH/CloudflareR2-Manager/README.md) 
and config template in 
[.env.example](/Users/tyemeclifford/Documents/GH/CloudflareR2-Manager/.env.example)
Important R2 caveat: Cloudflare’s current R2 S3 compatibility docs say 
ACLs and object-tagging APIs are not implemented, so the app stores tags 
and permission labels locally in SQLite while keeping file bytes on R2. 
I used Cloudflare’s official docs for S3 compatibility, presigned URLs, 
and CORS.
This commit is contained in:
Ty Clifford
2026-06-20 13:57:21 -04:00
parent 1c7f697913
commit 3518555d1e
29 changed files with 3598 additions and 1 deletions
+523
View File
@@ -0,0 +1,523 @@
<?php
declare(strict_types=1);
namespace R2Manager\R2;
use R2Manager\Support\Config;
final class R2Client
{
private string $accountId;
private string $accessKeyId;
private string $secretAccessKey;
private string $bucket;
private string $region;
private string $endpoint;
private bool $pathStyle;
public function __construct(private readonly Config $config)
{
$this->accountId = trim((string) $config->get('R2_ACCOUNT_ID', ''));
$this->accessKeyId = trim((string) $config->get('R2_ACCESS_KEY_ID', ''));
$this->secretAccessKey = trim((string) $config->get('R2_SECRET_ACCESS_KEY', ''));
$this->bucket = trim((string) $config->get('R2_BUCKET', ''));
$this->region = trim((string) $config->get('R2_REGION', 'auto'));
$this->endpoint = rtrim((string) $config->get('R2_ENDPOINT', ''), '/');
$this->pathStyle = $config->bool('R2_PATH_STYLE', true);
if ($this->endpoint === '' && $this->accountId !== '') {
$this->endpoint = 'https://' . $this->accountId . '.r2.cloudflarestorage.com';
}
}
public function isConfigured(): bool
{
return $this->accountId !== ''
&& $this->accessKeyId !== ''
&& $this->secretAccessKey !== ''
&& $this->bucket !== ''
&& $this->endpoint !== '';
}
public function bucket(): string
{
return $this->bucket;
}
/**
* @return array{objects: list<array<string, string|int|null>>, prefixes: list<string>, truncated: bool, next_token: ?string}
*/
public function listObjectsV2(string $prefix = '', ?string $continuationToken = null, int $maxKeys = 1000): array
{
$query = [
'list-type' => '2',
'max-keys' => (string) max(1, min(1000, $maxKeys)),
];
if ($prefix !== '') {
$query['prefix'] = $prefix;
}
if ($continuationToken !== null && $continuationToken !== '') {
$query['continuation-token'] = $continuationToken;
}
$response = $this->request('GET', '', $query);
$xml = $this->xml($response->body);
$root = $this->xmlChildren($xml);
$objects = [];
foreach ($root->Contents ?? [] as $content) {
$contentNode = $this->xmlChildren($content);
$objects[] = [
'key' => (string) $contentNode->Key,
'last_modified' => (string) $contentNode->LastModified,
'etag' => trim((string) $contentNode->ETag, '"'),
'size' => (int) $contentNode->Size,
'storage_class' => isset($contentNode->StorageClass) ? (string) $contentNode->StorageClass : null,
];
}
$prefixes = [];
foreach ($root->CommonPrefixes ?? [] as $commonPrefix) {
$prefixNode = $this->xmlChildren($commonPrefix);
$prefixes[] = (string) $prefixNode->Prefix;
}
return [
'objects' => $objects,
'prefixes' => $prefixes,
'truncated' => strtolower((string) ($root->IsTruncated ?? 'false')) === 'true',
'next_token' => isset($root->NextContinuationToken) ? (string) $root->NextContinuationToken : null,
];
}
/**
* @return array<string, string|int|null>
*/
public function headObject(string $key): array
{
$response = $this->request('HEAD', $key);
return [
'key' => $key,
'etag' => trim((string) $response->header('etag', ''), '"'),
'size' => (int) ($response->header('content-length', '0') ?? 0),
'content_type' => $response->header('content-type'),
'last_modified' => $this->normalizeHttpDate($response->header('last-modified')),
'storage_class' => $response->header('x-amz-storage-class'),
];
}
public function getObject(string $key): R2Response
{
return $this->request('GET', $key);
}
/**
* @param array<string, string> $metadata
*/
public function putObject(string $key, string $body, string $contentType = 'application/octet-stream', array $metadata = []): R2Response
{
$headers = ['Content-Type' => $contentType];
foreach ($metadata as $name => $value) {
$headers['x-amz-meta-' . strtolower($name)] = $value;
}
return $this->request('PUT', $key, [], $headers, $body);
}
public function deleteObject(string $key): R2Response
{
return $this->request('DELETE', $key);
}
public function copyObject(string $sourceKey, string $destinationKey, ?string $contentType = null): R2Response
{
$headers = [
'x-amz-copy-source' => '/' . $this->bucket . '/' . $this->encodeKey($sourceKey),
];
if ($contentType !== null && $contentType !== '') {
$headers['Content-Type'] = $contentType;
$headers['x-amz-metadata-directive'] = 'REPLACE';
}
return $this->request('PUT', $destinationKey, [], $headers);
}
public function getBucketCors(): ?string
{
try {
return $this->request('GET', '', ['cors' => ''])->body;
} catch (R2Exception $exception) {
if ($exception->statusCode() === 404) {
return null;
}
throw $exception;
}
}
public function putBucketCorsJson(string $json): R2Response
{
$rules = json_decode($json, true);
if (!is_array($rules)) {
throw new R2Exception('CORS JSON must be an array of rules.');
}
$xml = $this->corsJsonToXml($rules);
return $this->request('PUT', '', ['cors' => ''], ['Content-Type' => 'application/xml'], $xml);
}
public function deleteBucketCors(): R2Response
{
return $this->request('DELETE', '', ['cors' => '']);
}
/**
* @param array<string, string> $headers
*/
public function presign(string $method, string $key, int $expires, array $headers = []): string
{
$this->assertConfigured();
$method = strtoupper($method);
$expires = max(1, min(604800, $expires));
$now = new \DateTimeImmutable('now', new \DateTimeZone('UTC'));
$amzDate = $now->format('Ymd\THis\Z');
$dateStamp = $now->format('Ymd');
$urlParts = $this->urlParts($key);
$headers = $this->normalizeHeaders($headers);
$headers['host'] = $urlParts['host'];
ksort($headers);
$credentialScope = $dateStamp . '/' . $this->region . '/s3/aws4_request';
$signedHeaders = implode(';', array_keys($headers));
$query = [
'X-Amz-Algorithm' => 'AWS4-HMAC-SHA256',
'X-Amz-Credential' => $this->accessKeyId . '/' . $credentialScope,
'X-Amz-Date' => $amzDate,
'X-Amz-Expires' => (string) $expires,
'X-Amz-SignedHeaders' => $signedHeaders,
];
$canonicalRequest = implode("\n", [
$method,
$urlParts['path'],
$this->canonicalQueryString($query),
$this->canonicalHeaders($headers),
$signedHeaders,
'UNSIGNED-PAYLOAD',
]);
$stringToSign = implode("\n", [
'AWS4-HMAC-SHA256',
$amzDate,
$credentialScope,
hash('sha256', $canonicalRequest),
]);
$query['X-Amz-Signature'] = hash_hmac('sha256', $stringToSign, $this->signingKey($dateStamp));
return $urlParts['base'] . $urlParts['path'] . '?' . $this->canonicalQueryString($query);
}
/**
* @param array<string, string> $query
* @param array<string, string> $headers
*/
private function request(string $method, string $key = '', array $query = [], array $headers = [], string $body = ''): R2Response
{
$this->assertConfigured();
if (!function_exists('curl_init')) {
throw new R2Exception('The PHP curl extension is required to talk to R2.');
}
$method = strtoupper($method);
$now = new \DateTimeImmutable('now', new \DateTimeZone('UTC'));
$amzDate = $now->format('Ymd\THis\Z');
$dateStamp = $now->format('Ymd');
$payloadHash = hash('sha256', $body);
$urlParts = $this->urlParts($key);
$headers = $this->normalizeHeaders($headers);
$headers['host'] = $urlParts['host'];
$headers['x-amz-content-sha256'] = $payloadHash;
$headers['x-amz-date'] = $amzDate;
ksort($headers);
$signedHeaders = implode(';', array_keys($headers));
$credentialScope = $dateStamp . '/' . $this->region . '/s3/aws4_request';
$canonicalRequest = implode("\n", [
$method,
$urlParts['path'],
$this->canonicalQueryString($query),
$this->canonicalHeaders($headers),
$signedHeaders,
$payloadHash,
]);
$stringToSign = implode("\n", [
'AWS4-HMAC-SHA256',
$amzDate,
$credentialScope,
hash('sha256', $canonicalRequest),
]);
$signature = hash_hmac('sha256', $stringToSign, $this->signingKey($dateStamp));
$headers['authorization'] = 'AWS4-HMAC-SHA256 Credential=' . $this->accessKeyId . '/' . $credentialScope
. ', SignedHeaders=' . $signedHeaders
. ', Signature=' . $signature;
$url = $urlParts['base'] . $urlParts['path'];
$queryString = $this->canonicalQueryString($query);
if ($queryString !== '') {
$url .= '?' . $queryString;
}
$responseHeaders = [];
$curlHeaders = [];
foreach ($headers as $name => $value) {
$curlHeaders[] = $name . ': ' . $value;
}
$handle = curl_init($url);
curl_setopt_array($handle, [
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_HTTPHEADER => $curlHeaders,
CURLOPT_HEADERFUNCTION => static function ($curl, string $line) use (&$responseHeaders): int {
$length = strlen($line);
$line = trim($line);
if ($line === '' || str_contains($line, 'HTTP/')) {
return $length;
}
$position = strpos($line, ':');
if ($position !== false) {
$name = strtolower(trim(substr($line, 0, $position)));
$responseHeaders[$name] = trim(substr($line, $position + 1));
}
return $length;
},
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CONNECTTIMEOUT => 15,
CURLOPT_TIMEOUT => 300,
CURLOPT_FOLLOWLOCATION => false,
]);
if ($method === 'HEAD') {
curl_setopt($handle, CURLOPT_NOBODY, true);
} elseif ($body !== '' || in_array($method, ['PUT', 'POST'], true)) {
curl_setopt($handle, CURLOPT_POSTFIELDS, $body);
}
$rawBody = curl_exec($handle);
if ($rawBody === false) {
$error = curl_error($handle);
curl_close($handle);
throw new R2Exception('R2 request failed: ' . $error);
}
$status = (int) curl_getinfo($handle, CURLINFO_RESPONSE_CODE);
curl_close($handle);
$response = new R2Response($status, $responseHeaders, (string) $rawBody);
if ($status < 200 || $status >= 300) {
throw new R2Exception($this->errorMessage($response), $status, $response->body);
}
return $response;
}
private function assertConfigured(): void
{
if (!$this->isConfigured()) {
throw new R2Exception('R2 is not configured. Add your account ID, access keys, and bucket to .env.');
}
}
/**
* @return array{base: string, host: string, path: string}
*/
private function urlParts(string $key): array
{
$parts = parse_url($this->endpoint);
$scheme = $parts['scheme'] ?? 'https';
$host = $parts['host'] ?? '';
$port = isset($parts['port']) ? ':' . $parts['port'] : '';
if ($host === '') {
throw new R2Exception('R2_ENDPOINT must include a hostname.');
}
if (!$this->pathStyle) {
$host = $this->bucket . '.' . $host;
$path = '/' . $this->encodeKey($key);
if ($path === '/') {
$path = '/';
}
} else {
$path = '/' . rawurlencode($this->bucket);
if ($key !== '') {
$path .= '/' . $this->encodeKey($key);
}
}
return [
'base' => $scheme . '://' . $host . $port,
'host' => $host . $port,
'path' => $path,
];
}
private function encodeKey(string $key): string
{
if ($key === '') {
return '';
}
return implode('/', array_map('rawurlencode', explode('/', $key)));
}
/**
* @param array<string, string> $query
*/
private function canonicalQueryString(array $query): string
{
$pairs = [];
foreach ($query as $name => $value) {
$pairs[] = [rawurlencode((string) $name), rawurlencode((string) $value)];
}
usort($pairs, static fn (array $a, array $b): int => $a[0] === $b[0] ? strcmp($a[1], $b[1]) : strcmp($a[0], $b[0]));
return implode('&', array_map(static fn (array $pair): string => $pair[0] . '=' . $pair[1], $pairs));
}
/**
* @param array<string, string> $headers
* @return array<string, string>
*/
private function normalizeHeaders(array $headers): array
{
$normalized = [];
foreach ($headers as $name => $value) {
$normalized[strtolower(trim((string) $name))] = trim(preg_replace('/\s+/', ' ', (string) $value) ?? '');
}
return array_filter($normalized, static fn (string $value): bool => $value !== '');
}
/**
* @param array<string, string> $headers
*/
private function canonicalHeaders(array $headers): string
{
ksort($headers);
$lines = [];
foreach ($headers as $name => $value) {
$lines[] = strtolower($name) . ':' . trim($value);
}
return implode("\n", $lines) . "\n";
}
private function signingKey(string $dateStamp): string
{
$dateKey = hash_hmac('sha256', $dateStamp, 'AWS4' . $this->secretAccessKey, true);
$dateRegionKey = hash_hmac('sha256', $this->region, $dateKey, true);
$dateRegionServiceKey = hash_hmac('sha256', 's3', $dateRegionKey, true);
return hash_hmac('sha256', 'aws4_request', $dateRegionServiceKey, true);
}
private function xml(string $body): \SimpleXMLElement
{
if (!function_exists('simplexml_load_string')) {
throw new R2Exception('The PHP SimpleXML extension is required to parse R2 responses.');
}
$xml = @simplexml_load_string($body);
if (!$xml instanceof \SimpleXMLElement) {
throw new R2Exception('R2 returned invalid XML.');
}
return $xml;
}
/**
* @param array<int, mixed> $rules
*/
private function corsJsonToXml(array $rules): string
{
if (!class_exists(\SimpleXMLElement::class)) {
throw new R2Exception('The PHP SimpleXML extension is required to write CORS XML.');
}
$xml = new \SimpleXMLElement('<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"/>');
foreach ($rules as $rule) {
if (!is_array($rule)) {
continue;
}
$corsRule = $xml->addChild('CORSRule');
foreach ((array) ($rule['AllowedOrigins'] ?? []) as $origin) {
$corsRule->addChild('AllowedOrigin', htmlspecialchars((string) $origin, ENT_XML1));
}
foreach ((array) ($rule['AllowedMethods'] ?? []) as $method) {
$corsRule->addChild('AllowedMethod', htmlspecialchars(strtoupper((string) $method), ENT_XML1));
}
foreach ((array) ($rule['AllowedHeaders'] ?? []) as $header) {
$corsRule->addChild('AllowedHeader', htmlspecialchars((string) $header, ENT_XML1));
}
foreach ((array) ($rule['ExposeHeaders'] ?? []) as $header) {
$corsRule->addChild('ExposeHeader', htmlspecialchars((string) $header, ENT_XML1));
}
if (isset($rule['MaxAgeSeconds']) && is_numeric($rule['MaxAgeSeconds'])) {
$corsRule->addChild('MaxAgeSeconds', (string) (int) $rule['MaxAgeSeconds']);
}
}
return $xml->asXML() ?: '';
}
private function normalizeHttpDate(?string $date): ?string
{
if ($date === null || $date === '') {
return null;
}
$timestamp = strtotime($date);
return $timestamp === false ? null : gmdate('c', $timestamp);
}
private function errorMessage(R2Response $response): string
{
$body = trim($response->body);
if ($body === '') {
return 'R2 returned HTTP ' . $response->status . '.';
}
if (function_exists('simplexml_load_string')) {
$xml = @simplexml_load_string($body);
if ($xml instanceof \SimpleXMLElement) {
$root = $this->xmlChildren($xml);
if (isset($root->Message)) {
return 'R2 returned HTTP ' . $response->status . ': ' . (string) $root->Message;
}
}
}
return 'R2 returned HTTP ' . $response->status . ': ' . substr($body, 0, 500);
}
private function xmlChildren(\SimpleXMLElement $xml): \SimpleXMLElement
{
$namespace = $xml->getDocNamespaces(true)[''] ?? null;
return $namespace ? $xml->children($namespace) : $xml;
}
}
+29
View File
@@ -0,0 +1,29 @@
<?php
declare(strict_types=1);
namespace R2Manager\R2;
use RuntimeException;
final class R2Exception extends RuntimeException
{
public function __construct(
string $message,
private readonly int $statusCode = 0,
private readonly string $responseBody = ''
) {
parent::__construct($message, $statusCode);
}
public function statusCode(): int
{
return $this->statusCode;
}
public function responseBody(): string
{
return $this->responseBody;
}
}
+24
View File
@@ -0,0 +1,24 @@
<?php
declare(strict_types=1);
namespace R2Manager\R2;
final class R2Response
{
/**
* @param array<string, string> $headers
*/
public function __construct(
public readonly int $status,
public readonly array $headers,
public readonly string $body
) {
}
public function header(string $name, ?string $default = null): ?string
{
return $this->headers[strtolower($name)] ?? $default;
}
}