From df4cda8a1b966520a0d3f7a1bae6e254445d9485 Mon Sep 17 00:00:00 2001 From: Mythie Date: Tue, 31 Oct 2023 12:19:16 +1100 Subject: [PATCH] feat: support cloudfront presign --- package-lock.json | 60 +++++++++++-------- packages/lib/package.json | 1 + .../lib/universal/upload/server-actions.ts | 23 +++++-- packages/tsconfig/process-env.d.ts | 3 + turbo.json | 3 + 5 files changed, 62 insertions(+), 28 deletions(-) diff --git a/package-lock.json b/package-lock.json index a6b598907..21e0ef3e6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -423,6 +423,17 @@ "node": ">=14.0.0" } }, + "node_modules/@aws-sdk/cloudfront-signer": { + "version": "3.433.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/cloudfront-signer/-/cloudfront-signer-3.433.0.tgz", + "integrity": "sha512-I86TTLVSAFb0nMVPWxNipVwkmf0dw0FEchoA1sJx5j9YPyBhc0gzg3Af1Qkzzty+Pkwwc+CtPbqHkYxbXI1tFg==", + "dependencies": { + "@smithy/url-parser": "^2.0.12" + }, + "engines": { + "node": ">=14.0.0" + } + }, "node_modules/@aws-sdk/credential-provider-env": { "version": "3.428.0", "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.428.0.tgz", @@ -1659,7 +1670,7 @@ "version": "0.8.1", "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz", "integrity": "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==", - "dev": true, + "devOptional": true, "dependencies": { "@jridgewell/trace-mapping": "0.3.9" }, @@ -5730,11 +5741,11 @@ } }, "node_modules/@smithy/querystring-parser": { - "version": "2.0.11", - "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-2.0.11.tgz", - "integrity": "sha512-YXe7jhi7s3dQ0Fu9dLoY/gLu6NCyy8tBWJL/v2c9i7/RLpHgKT+uT96/OqZkHizCJ4kr0ZD46tzMjql/o60KLg==", + "version": "2.0.12", + "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-2.0.12.tgz", + "integrity": "sha512-fytyTcXaMzPBuNtPlhj5v6dbl4bJAnwKZFyyItAGt4Tgm9HFPZNo7a9r1SKPr/qdxUEBzvL9Rh+B9SkTX3kFxg==", "dependencies": { - "@smithy/types": "^2.3.5", + "@smithy/types": "^2.4.0", "tslib": "^2.5.0" }, "engines": { @@ -5797,9 +5808,9 @@ } }, "node_modules/@smithy/types": { - "version": "2.3.5", - "resolved": "https://registry.npmjs.org/@smithy/types/-/types-2.3.5.tgz", - "integrity": "sha512-ehyDt8M9hehyxrLQGoA1BGPou8Js1Ocoh5M0ngDhJMqbFmNK5N6Xhr9/ZExWkyIW8XcGkiMPq3ZUEE0ScrhbuQ==", + "version": "2.4.0", + "resolved": "https://registry.npmjs.org/@smithy/types/-/types-2.4.0.tgz", + "integrity": "sha512-iH1Xz68FWlmBJ9vvYeHifVMWJf82ONx+OybPW8ZGf5wnEv2S0UXcU4zwlwJkRXuLKpcSLHrraHbn2ucdVXLb4g==", "dependencies": { "tslib": "^2.5.0" }, @@ -5808,12 +5819,12 @@ } }, "node_modules/@smithy/url-parser": { - "version": "2.0.11", - "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-2.0.11.tgz", - "integrity": "sha512-h89yXMCCF+S5k9XIoKltMIWTYj+FcEkU/IIFZ6RtE222fskOTL4Iak6ZRG+ehSvZDt8yKEcxqheTDq7JvvtK3g==", + "version": "2.0.12", + "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-2.0.12.tgz", + "integrity": "sha512-qgkW2mZqRvlNUcBkxYB/gYacRaAdck77Dk3/g2iw0S9F0EYthIS3loGfly8AwoWpIvHKhkTsCXXQfzksgZ4zIA==", "dependencies": { - "@smithy/querystring-parser": "^2.0.11", - "@smithy/types": "^2.3.5", + "@smithy/querystring-parser": "^2.0.12", + "@smithy/types": "^2.4.0", "tslib": "^2.5.0" } }, @@ -6162,25 +6173,25 @@ "version": "1.0.9", "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.9.tgz", "integrity": "sha512-jNsYVVxU8v5g43Erja32laIDHXeoNvFEpX33OK4d6hljo3jDhCBDhx5dhCCTMWUojscpAagGiRkBKxpdl9fxqA==", - "dev": true + "devOptional": true }, "node_modules/@tsconfig/node12": { "version": "1.0.11", "resolved": "https://registry.npmjs.org/@tsconfig/node12/-/node12-1.0.11.tgz", "integrity": "sha512-cqefuRsh12pWyGsIoBKJA9luFu3mRxCA+ORZvA4ktLSzIuCUtWVxGIuXigEwO5/ywWFMZ2QEGKWvkZG1zDMTag==", - "dev": true + "devOptional": true }, "node_modules/@tsconfig/node14": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/@tsconfig/node14/-/node14-1.0.3.tgz", "integrity": "sha512-ysT8mhdixWK6Hw3i1V2AeRqZ5WfXg1G43mqoYlM2nc6388Fq5jcXyr5mRsqViLx/GJYdoL0bfXD8nmF+Zn/Iow==", - "dev": true + "devOptional": true }, "node_modules/@tsconfig/node16": { "version": "1.0.4", "resolved": "https://registry.npmjs.org/@tsconfig/node16/-/node16-1.0.4.tgz", "integrity": "sha512-vxhUy4J8lyeyinH7Azl1pdd43GJhZH/tP2weN8TntQblOY+A0XbT8DJk1/oCPuOOyg/Ja757rG0CgHcWC8OfMA==", - "dev": true + "devOptional": true }, "node_modules/@types/acorn": { "version": "4.0.6", @@ -6383,7 +6394,7 @@ "version": "18.2.7", "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-18.2.7.tgz", "integrity": "sha512-GRaAEriuT4zp9N4p1i8BDBYmEyfo+xQ3yHjJU4eiK5NDa1RmUZG+unZABUTK4/Ox/M+GaHwb6Ow8rUITrtjszA==", - "dev": true, + "devOptional": true, "dependencies": { "@types/react": "*" } @@ -6582,7 +6593,7 @@ "version": "8.2.0", "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.2.0.tgz", "integrity": "sha512-k+iyHEuPgSw6SbuDpGQM+06HQUa04DZ3o+F6CSzXMvvI5KMvnaEqXe+YVe555R9nn6GPt404fos4wcgpw12SDA==", - "dev": true, + "devOptional": true, "engines": { "node": ">=0.4.0" } @@ -8265,7 +8276,7 @@ "version": "1.1.1", "resolved": "https://registry.npmjs.org/create-require/-/create-require-1.1.1.tgz", "integrity": "sha512-dcKFX3jn0MpIaXjisoRvexIJVEKzaq7z2rZKxf+MSr9TkdmHmsU4m2lcLojrj/FHl8mk5VxMmYA+ftRkP/3oKQ==", - "dev": true + "devOptional": true }, "node_modules/cross-spawn": { "version": "7.0.3", @@ -12606,7 +12617,7 @@ "version": "1.3.6", "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", - "dev": true + "devOptional": true }, "node_modules/make-event-props": { "version": "1.6.1", @@ -17935,7 +17946,7 @@ "version": "10.9.1", "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.1.tgz", "integrity": "sha512-NtVysVPkxxrwFGUUxGYhfux8k78pQB3JqYBXlLRZgdGUqTO5wU/UyHop5p70iEbGhB7q5KmiZiU0Y3KlJrScEw==", - "dev": true, + "devOptional": true, "dependencies": { "@cspotcode/source-map-support": "^0.8.0", "@tsconfig/node10": "^1.0.7", @@ -18819,7 +18830,7 @@ "version": "3.0.1", "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz", "integrity": "sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==", - "dev": true + "devOptional": true }, "node_modules/validate-npm-package-license": { "version": "3.0.4", @@ -19329,7 +19340,7 @@ "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", - "dev": true, + "devOptional": true, "engines": { "node": ">=6" } @@ -19784,6 +19795,7 @@ "license": "MIT", "dependencies": { "@aws-sdk/client-s3": "^3.410.0", + "@aws-sdk/cloudfront-signer": "^3.410.0", "@aws-sdk/s3-request-presigner": "^3.410.0", "@aws-sdk/signature-v4-crt": "^3.410.0", "@documenso/email": "*", diff --git a/packages/lib/package.json b/packages/lib/package.json index 9693df79e..0b34caa48 100644 --- a/packages/lib/package.json +++ b/packages/lib/package.json @@ -15,6 +15,7 @@ }, "dependencies": { "@aws-sdk/client-s3": "^3.410.0", + "@aws-sdk/cloudfront-signer": "^3.410.0", "@aws-sdk/s3-request-presigner": "^3.410.0", "@aws-sdk/signature-v4-crt": "^3.410.0", "@documenso/email": "*", diff --git a/packages/lib/universal/upload/server-actions.ts b/packages/lib/universal/upload/server-actions.ts index 4343c21af..d64b8bb88 100644 --- a/packages/lib/universal/upload/server-actions.ts +++ b/packages/lib/universal/upload/server-actions.ts @@ -45,14 +45,14 @@ export const getPresignPostUrl = async (fileName: string, contentType: string) = export const getAbsolutePresignPostUrl = async (key: string) => { const client = getS3Client(); - const { getSignedUrl } = await import('@aws-sdk/s3-request-presigner'); + const { getSignedUrl: getS3SignedUrl } = await import('@aws-sdk/s3-request-presigner'); const putObjectCommand = new PutObjectCommand({ Bucket: process.env.NEXT_PRIVATE_UPLOAD_BUCKET, Key: key, }); - const url = await getSignedUrl(client, putObjectCommand, { + const url = await getS3SignedUrl(client, putObjectCommand, { expiresIn: ONE_HOUR / ONE_SECOND, }); @@ -60,16 +60,31 @@ export const getAbsolutePresignPostUrl = async (key: string) => { }; export const getPresignGetUrl = async (key: string) => { + if (process.env.NEXT_PRIVATE_UPLOAD_DISTRIBUTION_DOMAIN) { + const distributionUrl = `${process.env.NEXT_PRIVATE_UPLOAD_DISTRIBUTION_KEY_ID}/${key}`; + + const { getSignedUrl: getCloudfrontSignedUrl } = await import('@aws-sdk/cloudfront-signer'); + + const url = getCloudfrontSignedUrl({ + url: distributionUrl, + keyPairId: `${process.env.NEXT_PRIVATE_UPLOAD_DISTRIBUTION_KEY_ID}`, + privateKey: `${process.env.NEXT_PRIVATE_UPLOAD_DISTRIBUTION_KEY_CONTENTS}`, + dateLessThan: new Date(Date.now() + ONE_HOUR).toISOString(), + }); + + return { key, url }; + } + const client = getS3Client(); - const { getSignedUrl } = await import('@aws-sdk/s3-request-presigner'); + const { getSignedUrl: getS3SignedUrl } = await import('@aws-sdk/s3-request-presigner'); const getObjectCommand = new GetObjectCommand({ Bucket: process.env.NEXT_PRIVATE_UPLOAD_BUCKET, Key: key, }); - const url = await getSignedUrl(client, getObjectCommand, { + const url = await getS3SignedUrl(client, getObjectCommand, { expiresIn: ONE_HOUR / ONE_SECOND, }); diff --git a/packages/tsconfig/process-env.d.ts b/packages/tsconfig/process-env.d.ts index aec4f1d89..491b84012 100644 --- a/packages/tsconfig/process-env.d.ts +++ b/packages/tsconfig/process-env.d.ts @@ -21,6 +21,9 @@ declare namespace NodeJS { NEXT_PRIVATE_UPLOAD_BUCKET?: string; NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID?: string; NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY?: string; + NEXT_PRIVATE_UPLOAD_DISTRIBUTION_DOMAIN?: string; + NEXT_PRIVATE_UPLOAD_DISTRIBUTION_KEY_ID?: string; + NEXT_PRIVATE_UPLOAD_DISTRIBUTION_KEY_CONTENTS?: string; NEXT_PRIVATE_SIGNING_TRANSPORT?: 'local' | 'http' | 'gcloud-hsm'; NEXT_PRIVATE_SIGNING_PASSPHRASE?: string; diff --git a/turbo.json b/turbo.json index 883bf9846..04aa4d5c3 100644 --- a/turbo.json +++ b/turbo.json @@ -56,6 +56,9 @@ "NEXT_PRIVATE_UPLOAD_BUCKET", "NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID", "NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY", + "NEXT_PRIVATE_UPLOAD_DISTRIBUTION_DOMAIN", + "NEXT_PRIVATE_UPLOAD_DISTRIBUTION_KEY_ID", + "NEXT_PRIVATE_UPLOAD_DISTRIBUTION_KEY_CONTENTS", "NEXT_PRIVATE_SIGNING_TRANSPORT", "NEXT_PRIVATE_SIGNING_PASSPHRASE", "NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH",