Skip to content

PM-5487 showcase media security#28

Open
vas3a wants to merge 3 commits into
devfrom
PM-5487_showcase-media-security
Open

PM-5487 showcase media security#28
vas3a wants to merge 3 commits into
devfrom
PM-5487_showcase-media-security

Conversation

@vas3a

@vas3a vas3a commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

This pull request introduces support for serving project showcase media through private S3 buckets using CloudFront Signed URLs. It adds the necessary dependencies, configuration, documentation, and code changes to generate and serve signed CloudFront URLs for media assets. Additionally, it updates tests and environment files to reflect the new setup.

CloudFront Signed URL Integration for Project Showcase Media:

1. Feature Implementation

  • The backend now uses CloudFront Signed URLs for serving project showcase media. The signCloudFrontUrl utility is called when returning media URLs, ensuring that only signed requests can access protected S3 content. (src/api/project-showcase-post/project-showcase-post.service.ts [1] [2]

2. Configuration Updates

  • New environment variables are introduced for CloudFront key pair ID, private key, and public key, with corresponding fields added to the application config. (.env.example [1] src/shared/config/app.config.ts [2]

3. Dependency Management

  • Adds @aws-sdk/cloudfront-signer and its dependencies to package.json and pnpm-lock.yaml for generating signed URLs. (package.json [1] pnpm-lock.yaml [2] [3] [4] [5] [6] [7] [8]

4. Documentation

  • Adds a comprehensive guide for setting up CloudFront Signed URLs and private S3 buckets, including AWS configuration, key management, and security best practices. (docs/projects-showcase-media.md docs/projects-showcase-media.mdR1-R273)

5. Tests and Minor Cleanups

  • Updates tests to mock the CloudFront signing utility and validate that returned media URLs are signed. Also includes minor test improvements (e.g., using BigInt for IDs, clearing mocks). (src/api/project-showcase-post/project-showcase-post.service.spec.ts [1] [2] [3] [4] [5] [6] [7] [8]
  • Removes unused code for setting the default Postgres schema in the startup script. (appStartUp.sh appStartUp.shL6-L13)

These changes collectively enable secure, signed delivery of project showcase media through CloudFront, improving both security and scalability.

@vas3a vas3a requested review from Copilot, jmgasper and kkartunov July 1, 2026 14:12
Comment thread src/shared/utils/cloudfront.utils.spec.ts Dismissed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds CloudFront Signed URL support for project showcase media, enabling private S3-backed media delivery via CloudFront while keeping URL signing on the backend.

Changes:

  • Introduces a signCloudFrontUrl utility (with key normalization) and wires it into ProjectShowcasePostService media responses.
  • Adds CloudFront signing configuration to APP_CONFIG and updates/extends unit tests to validate signed URL behavior.
  • Adds dependency (@aws-sdk/cloudfront-signer) plus documentation for AWS setup and key management.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/shared/utils/cloudfront.utils.ts Adds URL-signing helper (CloudFront signer + PEM normalization) used when returning media URLs.
src/shared/utils/cloudfront.utils.spec.ts Unit tests for the signing helper behavior when keys are present/missing.
src/shared/config/app.config.ts Adds env-driven CloudFront signing configuration fields (key pair id/key material/expiry).
src/api/project-showcase-post/project-showcase-post.service.ts Signs returned showcase media URLs via signCloudFrontUrl.
src/api/project-showcase-post/project-showcase-post.service.spec.ts Mocks signing util and updates assertions to expect signed media URLs.
package.json Adds @aws-sdk/cloudfront-signer dependency.
pnpm-lock.yaml Locks CloudFront signer deps; also includes additional unrelated lockfile changes.
docs/projects-showcase-media.md Adds end-to-end setup guide for private S3 + CloudFront Signed URLs.
.env.example Adds CloudFront showcase media key variables (example values).
appStartUp.sh Removes defaulting of POSTGRES_SCHEMA in startup script.
Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +65 to +67
} catch {
return url;
}
Comment thread .env.example
Comment on lines +88 to +97
CLOUDFRONT_PROJECT_SHOWCASE_MEDIA_PRIVATE_KEY=""
CLOUDFRONT_PROJECT_SHOWCASE_MEDIA_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1hmfSFeNdnmVVe+4hcz0
Wirsiu83FjezbiEnLsmZcTwGknTeK26O9JOlC7R1I2sc9TvMjxutqjSRyoLDv6tg
2f29RMeHPsR88tW+aYZYqYgU8PMl5y+EctPfb798eRDyGctpPKBxOczgGSUgAF0y
Y/qCzFYpxXwnpNn775XGR1QIKTgCIEZISAIntcZcgN0q0oGxTJF963exDKWoGxJt
ZvSf1TGI4JbCB6MB3jnl6rr99mWx1GN0NKaylOVBq0ToS7IBaSENjZSaKzTO7hmL
1smAsYB2G4fOcPaQurkqE2gryzj5ZyMCL30k0l/Ifh/td7Fqu/6K73Gta/B3yd/N
UwIDAQAB
-----END PUBLIC KEY-----"
Comment thread pnpm-lock.yaml
Comment on lines 6544 to 6550
'@topcoder-platform/topcoder-bus-api-wrapper@https://codeload.github.com/topcoder-platform/tc-bus-api-wrapper/tar.gz/297a9c0adcdb97661257e7825bee9c3f5578b833':
dependencies:
joi: 18.0.2
lodash: 4.17.23
superagent: 10.3.0
tc-core-library-js: https://codeload.github.com/topcoder-platform/tc-core-library-js/tar.gz/1075136355e1e1c4779f2138a30f3ffbd718bfa4
tc-core-library-js: https://codeload.github.com/topcoder-platform/tc-core-library-js/tar.gz/323567bc50e433ae488b656f9f94e821ebaf3062
transitivePeerDependencies:
Install:

``` bash
npm install @aws-sdk/cloudfront-signer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants