ActiveStorage url should expire after an hour

app/models/concerns/blob_signed_id_concern.rb

@@ -0,0 +1,12 @@
+module BlobSignedIdConcern
+  extend ActiveSupport::Concern
+
+  included do
+    # We override signed_id to add `expires_in` option to generated hash.
+    # This is a measure to ensure that we never under any circumstance
+    # expose permanent attachment url
+    def signed_id
+      ActiveStorage.verifier.generate(id, purpose: :blob_id, expires_in: ActiveStorage::Service.url_expires_in)
+    end
+  end
+end

app/models/concerns/blob_virus_scanner_concern.rb

@@ -2,7 +2,7 @@
 # (rather than on blob creation).
 # This will help to avoid cloberring metadata accidentally (as metadata
 # are more stable on attachment creation than on blob creation).
-module BlobVirusScanner
+module BlobVirusScannerConcern
   extend ActiveSupport::Concern
 
   included do

config/initializers/active_storage.rb

@@ -6,7 +6,10 @@ ActiveStorage::Service.url_expires_in = 1.hour
 # Rails 6 adds support for `.on_load(:active_storage_attachment)`, which is
 # cleaner (as it allows to enqueue the virus scan on attachment creation, rather
 # than on blob creation).
-ActiveSupport.on_load(:active_storage_blob) { include BlobVirusScanner }
+ActiveSupport.on_load(:active_storage_blob) do
+  include BlobSignedIdConcern
+  include BlobVirusScannerConcern
+end
 
 # When an OpenStack service is initialized it makes a request to fetch
 # `publicURL` to use for all operations. We intercept the method that reads