ActiveStorage url should expire after an hour

2019-11-20 16:03:40 +01:00 · 2019-11-20 16:03:40 +01:00 · cccb04d725
commit cccb04d725
parent b5c663e01c
3 changed files with 17 additions and 2 deletions
--- a/app/models/concerns/blob_signed_id_concern.rb
+++ b/app/models/concerns/blob_signed_id_concern.rb
@ -0,0 +1,12 @@
+module BlobSignedIdConcern
+  extend ActiveSupport::Concern
+
+  included do
+    # We override signed_id to add `expires_in` option to generated hash.
+    # This is a measure to ensure that we never under any circumstance
+    # expose permanent attachment url
+    def signed_id
+      ActiveStorage.verifier.generate(id, purpose: :blob_id, expires_in: ActiveStorage::Service.url_expires_in)
+    end
+  end
+end
--- a/app/models/concerns/blob_virus_scanner_concern.rb
+++ b/app/models/concerns/blob_virus_scanner_concern.rb
@ -2,7 +2,7 @@
 # (rather than on blob creation).
 # This will help to avoid cloberring metadata accidentally (as metadata
 # are more stable on attachment creation than on blob creation).
-module BlobVirusScanner
+module BlobVirusScannerConcern
  extend ActiveSupport::Concern

  included do
--- a/config/initializers/active_storage.rb
+++ b/config/initializers/active_storage.rb
@ -6,7 +6,10 @@ ActiveStorage::Service.url_expires_in = 1.hour
 # Rails 6 adds support for `.on_load(:active_storage_attachment)`, which is
 # cleaner (as it allows to enqueue the virus scan on attachment creation, rather
 # than on blob creation).
-ActiveSupport.on_load(:active_storage_blob) { include BlobVirusScanner }
+ActiveSupport.on_load(:active_storage_blob) do
+  include BlobSignedIdConcern
+  include BlobVirusScannerConcern
+end

 # When an OpenStack service is initialized it makes a request to fetch
 # `publicURL` to use for all operations. We intercept the method that reads