feat: switch to presigned URLs, remove public-read ACL

- Upload without public-read ACL (private by default)
- Generate 24h presigned GET URL after upload
- Remove S3_PUBLIC_URL env var (no longer needed)

Author: bendersej

agents/.do/app.yaml

@@ -29,9 +29,6 @@ services:
       - key: S3_REGION
         scope: RUN_TIME
         value: nyc3
-      - key: S3_PUBLIC_URL
-        scope: RUN_TIME
-        value: https://agent-pdf.nyc3.cdn.digitaloceanspaces.com
       - key: DEFAULT_EDITOR_HOST
         scope: RUN_TIME
         value: ai.simplepdf.com

agents/src/config.rs

@@ -2,7 +2,6 @@ pub struct Config {
     pub s3_endpoint: String,
     pub s3_bucket: String,
     pub s3_region: String,
-    pub s3_public_url: String,
     pub default_editor_host: String,
     pub rate_limit_per_minute: u32,
     pub trust_proxy: bool,
@@ -14,7 +13,6 @@ impl Config {
             s3_endpoint: env("S3_ENDPOINT"),
             s3_bucket: env("S3_BUCKET"),
             s3_region: env("S3_REGION"),
-            s3_public_url: env("S3_PUBLIC_URL"),
             default_editor_host: env("DEFAULT_EDITOR_HOST"),
             rate_limit_per_minute: env("RATE_LIMIT_PER_MIN")
                 .parse()

agents/src/routes.rs

@@ -142,7 +142,7 @@ async fn handle_post(
         let result = state.storage.upload(pdf_bytes).await?;
 
         Ok(Json(AgentResponse::new(
-            &result.public_url,
+            &result.presigned_url,
             &editor_base,
             company_identifier,
         )))

agents/src/storage.rs

@@ -1,18 +1,21 @@
+use aws_sdk_s3::presigning::PresigningConfig;
 use aws_sdk_s3::primitives::ByteStream;
 use aws_sdk_s3::Client;
+use std::time::Duration;
 use uuid::Uuid;
 
 use crate::config::Config;
 use crate::error::AppError;
 
+const PRESIGN_EXPIRY: Duration = Duration::from_secs(24 * 60 * 60);
+
 pub struct Storage {
     client: Client,
     bucket: String,
-    public_url: String,
 }
 
 pub struct UploadResult {
-    pub public_url: String,
+    pub presigned_url: String,
 }
 
 impl Storage {
@@ -36,7 +39,6 @@ impl Storage {
         Self {
             client: Client::from_conf(s3_config),
             bucket: config.s3_bucket.clone(),
-            public_url: config.s3_public_url.clone(),
         }
     }
 
@@ -55,13 +57,24 @@ impl Storage {
             .body(ByteStream::from(bytes))
             .content_type("application/pdf")
             .content_disposition("attachment")
-            .acl(aws_sdk_s3::types::ObjectCannedAcl::PublicRead)
             .send()
             .await
             .map_err(|e| AppError::StorageFailed(e.to_string()))?;
 
-        let public_url = format!("{}/{key}", self.public_url);
+        let presign_config = PresigningConfig::expires_in(PRESIGN_EXPIRY)
+            .map_err(|e| AppError::StorageFailed(e.to_string()))?;
+
+        let presigned_url = self
+            .client
+            .get_object()
+            .bucket(&self.bucket)
+            .key(&key)
+            .presigned(presign_config)
+            .await
+            .map_err(|e| AppError::StorageFailed(e.to_string()))?
+            .uri()
+            .to_string();
 
-        Ok(UploadResult { public_url })
+        Ok(UploadResult { presigned_url })
     }
 }