ActiveStorage url should expire after an hour

This commit is contained in:
Paul Chavard 2019-11-20 16:03:40 +01:00
parent b5c663e01c
commit cccb04d725
3 changed files with 17 additions and 2 deletions

View file

@ -0,0 +1,12 @@
module BlobSignedIdConcern
extend ActiveSupport::Concern
included do
# We override signed_id to add `expires_in` option to generated hash.
# This is a measure to ensure that we never under any circumstance
# expose permanent attachment url
def signed_id
ActiveStorage.verifier.generate(id, purpose: :blob_id, expires_in: ActiveStorage::Service.url_expires_in)
end
end
end

View file

@ -2,7 +2,7 @@
# (rather than on blob creation).
# This will help to avoid cloberring metadata accidentally (as metadata
# are more stable on attachment creation than on blob creation).
module BlobVirusScanner
module BlobVirusScannerConcern
extend ActiveSupport::Concern
included do

View file

@ -6,7 +6,10 @@ ActiveStorage::Service.url_expires_in = 1.hour
# Rails 6 adds support for `.on_load(:active_storage_attachment)`, which is
# cleaner (as it allows to enqueue the virus scan on attachment creation, rather
# than on blob creation).
ActiveSupport.on_load(:active_storage_blob) { include BlobVirusScanner }
ActiveSupport.on_load(:active_storage_blob) do
include BlobSignedIdConcern
include BlobVirusScannerConcern
end
# When an OpenStack service is initialized it makes a request to fetch
# `publicURL` to use for all operations. We intercept the method that reads