Email or username:

Password:

Forgot your password?
All posts Rob Hafner :verified_flashing:'s posts Post Back to profile
Top-level
Elias Mårtenson

@tedivm I'm always baffled when people use random filenames when they make file accessible to trusted users.

S3 already has an API to support signed downloads, and all the application needs to do is to sign a URL which the client can use to access the resource.

I've implemented it from scratch (there was no client library for Common Lisp at the time) and it was trivial. If you have a library, it's literally one function call. There is no excuse for this.

17 Mar 2023 at 6:10 | Wall-to-wall | Open on functional.cafe
3 comments
i am root

@loke @tedivm

If it's trivial and improves security, please put in a pull request. I think the project would welcome it.

They just made other related improvements in 4.1.1, including config/security checks on the object storage and some new documentation around this.

Keep in mind, Mastodon supports a variety of S3-compatible storage (AWS, Cloudflare R2, DigitalOcean Spaces, MinIO, Scaleway, Wasabi). I wouldn't be surprised if some of those are lacking the API for signed downloads.

17 Mar 2023 at 6:45 | Open on puddle.town
Elias Mårtenson

@null @tedivm I've used it with S3 and Wasabi. I don't know if it's unavailable anywhere.

AWS documentation refers to this as presigned URL's: docs.aws.amazon.com/AmazonS3/l

17 Mar 2023 at 7:01 | Open on functional.cafe
Elias Mårtenson

@null @tedivm As for a pull request. It's certainly something I would consider, but given that I don't have any experience working with this codebase, it would probably take me some time.

I'd be happy to work with someone who knows this code though, to help out with making this happen.

17 Mar 2023 at 7:03 | Open on functional.cafe
Go Up