PM-5487 showcase media security#28
Open
vas3a wants to merge 3 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds CloudFront Signed URL support for project showcase media, enabling private S3-backed media delivery via CloudFront while keeping URL signing on the backend.
Changes:
- Introduces a
signCloudFrontUrlutility (with key normalization) and wires it intoProjectShowcasePostServicemedia responses. - Adds CloudFront signing configuration to
APP_CONFIGand updates/extends unit tests to validate signed URL behavior. - Adds dependency (
@aws-sdk/cloudfront-signer) plus documentation for AWS setup and key management.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/shared/utils/cloudfront.utils.ts | Adds URL-signing helper (CloudFront signer + PEM normalization) used when returning media URLs. |
| src/shared/utils/cloudfront.utils.spec.ts | Unit tests for the signing helper behavior when keys are present/missing. |
| src/shared/config/app.config.ts | Adds env-driven CloudFront signing configuration fields (key pair id/key material/expiry). |
| src/api/project-showcase-post/project-showcase-post.service.ts | Signs returned showcase media URLs via signCloudFrontUrl. |
| src/api/project-showcase-post/project-showcase-post.service.spec.ts | Mocks signing util and updates assertions to expect signed media URLs. |
| package.json | Adds @aws-sdk/cloudfront-signer dependency. |
| pnpm-lock.yaml | Locks CloudFront signer deps; also includes additional unrelated lockfile changes. |
| docs/projects-showcase-media.md | Adds end-to-end setup guide for private S3 + CloudFront Signed URLs. |
| .env.example | Adds CloudFront showcase media key variables (example values). |
| appStartUp.sh | Removes defaulting of POSTGRES_SCHEMA in startup script. |
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+65
to
+67
| } catch { | ||
| return url; | ||
| } |
Comment on lines
+88
to
+97
| CLOUDFRONT_PROJECT_SHOWCASE_MEDIA_PRIVATE_KEY="" | ||
| CLOUDFRONT_PROJECT_SHOWCASE_MEDIA_PUBLIC_KEY="-----BEGIN PUBLIC KEY----- | ||
| MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1hmfSFeNdnmVVe+4hcz0 | ||
| Wirsiu83FjezbiEnLsmZcTwGknTeK26O9JOlC7R1I2sc9TvMjxutqjSRyoLDv6tg | ||
| 2f29RMeHPsR88tW+aYZYqYgU8PMl5y+EctPfb798eRDyGctpPKBxOczgGSUgAF0y | ||
| Y/qCzFYpxXwnpNn775XGR1QIKTgCIEZISAIntcZcgN0q0oGxTJF963exDKWoGxJt | ||
| ZvSf1TGI4JbCB6MB3jnl6rr99mWx1GN0NKaylOVBq0ToS7IBaSENjZSaKzTO7hmL | ||
| 1smAsYB2G4fOcPaQurkqE2gryzj5ZyMCL30k0l/Ifh/td7Fqu/6K73Gta/B3yd/N | ||
| UwIDAQAB | ||
| -----END PUBLIC KEY-----" |
Comment on lines
6544
to
6550
| '@topcoder-platform/topcoder-bus-api-wrapper@https://codeload.github.com/topcoder-platform/tc-bus-api-wrapper/tar.gz/297a9c0adcdb97661257e7825bee9c3f5578b833': | ||
| dependencies: | ||
| joi: 18.0.2 | ||
| lodash: 4.17.23 | ||
| superagent: 10.3.0 | ||
| tc-core-library-js: https://codeload.github.com/topcoder-platform/tc-core-library-js/tar.gz/1075136355e1e1c4779f2138a30f3ffbd718bfa4 | ||
| tc-core-library-js: https://codeload.github.com/topcoder-platform/tc-core-library-js/tar.gz/323567bc50e433ae488b656f9f94e821ebaf3062 | ||
| transitivePeerDependencies: |
| Install: | ||
|
|
||
| ``` bash | ||
| npm install @aws-sdk/cloudfront-signer |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces support for serving project showcase media through private S3 buckets using CloudFront Signed URLs. It adds the necessary dependencies, configuration, documentation, and code changes to generate and serve signed CloudFront URLs for media assets. Additionally, it updates tests and environment files to reflect the new setup.
CloudFront Signed URL Integration for Project Showcase Media:
1. Feature Implementation
signCloudFrontUrlutility is called when returning media URLs, ensuring that only signed requests can access protected S3 content. (src/api/project-showcase-post/project-showcase-post.service.ts[1] [2]2. Configuration Updates
.env.example[1]src/shared/config/app.config.ts[2]3. Dependency Management
@aws-sdk/cloudfront-signerand its dependencies topackage.jsonandpnpm-lock.yamlfor generating signed URLs. (package.json[1]pnpm-lock.yaml[2] [3] [4] [5] [6] [7] [8]4. Documentation
docs/projects-showcase-media.mddocs/projects-showcase-media.mdR1-R273)5. Tests and Minor Cleanups
BigIntfor IDs, clearing mocks). (src/api/project-showcase-post/project-showcase-post.service.spec.ts[1] [2] [3] [4] [5] [6] [7] [8]appStartUp.shappStartUp.shL6-L13)These changes collectively enable secure, signed delivery of project showcase media through CloudFront, improving both security and scalability.