@sheogorath @gargron One solution to this are "presigned URLs".
The general idea is that the app is authorized to ask S3 for signed URLs (which are only valid for a given object for a given amount of time).
This moves the authentication process to the app, so the app has to do the check "Was this image actually uploaded by the user that is currently logged it? Oh yes it was, let's ask S3 for a presigned URL then, which I can pass on to the user".
@sheogorath It'll be great to have this in CodiMD btw 😇
I'm not a AWS user since their payment requirements don't fit mine :x
I'll may provide some untested code you can go for, if you want. The changes to make, according to the documentation are trivial
@sheogorath Since I want to selfhost things, I don't use AWS either, but Minio. (S3 has grown to some unofficial standard for object storage one might argue).
But yeah, if you happen come around doing that, it'll be greatly appreciated :)
@Nuntius Coming back to this after more than a month. (And yes, I had to scroll a lot!)
I thought more detailed about adding presigned URL in CodiMD. Turns out it's a bad idea. Uploads are proxied through CodiMD anyway and links persist in Notes until the not itself is deleted or changes which means presigned URL have no benefit besides expiring and this way breaking notes. So not really interesting from a CodiMD perspective. Any other thoughts on that?
@sheogorath Fair, one would need to keep updating the notes as well, which adds complexity.
For private notes with images you don't want to be seen, maybe just hope that the image object's URL is random enough to not be guessed (until there's a more viable option) 🤷♂️
be excellent to each other