Add public file access feature with prefix-based visibility

- Add S3_PUBLIC_PREFIX env var (default: public/) for unauthenticated GET/HEAD
- Add S3_PUBLIC_CACHE_MAX_AGE env var for Cache-Control headers
- Add ?download=1 query param to force file download
- Auto-create public directory on server startup
- Add comprehensive integration tests for public/private visibility
- Fix all golangci-lint errcheck warnings
- Move integration tests to go.yml workflow, simplify docker.yml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: pierre-b

.github/workflows/docker.yml

@@ -1,95 +1,19 @@
-name: Docker Build, Test and Push
+name: Docker Build and Push
 
 on:
   push:
-    branches: [main]
     tags:
       - "v*.*"
       - "latest"
-  pull_request:
-    branches: [main]
 
 env:
   REGISTRY: docker.io
   IMAGE_NAME: notifuse/selfhost_s3
 
 jobs:
-  integration-tests:
-    name: Integration Tests
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23"
-          cache: true
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build Docker image for testing
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile
-          push: false
-          load: true
-          tags: selfhost_s3:test
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Start selfhost_s3 container
-        run: |
-          docker run -d \
-            --name selfhost_s3-test \
-            -p 9000:9000 \
-            -e S3_BUCKET=test-bucket \
-            -e S3_ACCESS_KEY=testkey \
-            -e S3_SECRET_KEY=testsecret \
-            -e S3_PORT=9000 \
-            -e S3_REGION=us-east-1 \
-            selfhost_s3:test
-
-      - name: Wait for selfhost_s3 to be ready
-        run: |
-          echo "Waiting for selfhost_s3 to be ready..."
-          for i in {1..30}; do
-            if curl -f http://localhost:9000/health > /dev/null 2>&1; then
-              echo "selfhost_s3 is ready!"
-              break
-            fi
-            echo "Waiting for selfhost_s3... ($i/30)"
-            sleep 2
-          done
-          # Final check
-          curl -f http://localhost:9000/health || exit 1
-
-      - name: Run integration tests
-        env:
-          INTEGRATION_TEST_ENDPOINT: http://localhost:9000
-          INTEGRATION_TEST_BUCKET: test-bucket
-          INTEGRATION_TEST_ACCESS_KEY: testkey
-          INTEGRATION_TEST_SECRET_KEY: testsecret
-          INTEGRATION_TEST_REGION: us-east-1
-        run: |
-          go test -race -timeout=5m ./integration/... -v
-
-      - name: Show container logs on failure
-        if: failure()
-        run: docker logs selfhost_s3-test
-
-      - name: Cleanup
-        if: always()
-        run: docker rm -f selfhost_s3-test || true
-
   build-and-push:
     name: Build and Push
     runs-on: ubuntu-latest
-    needs: integration-tests
     # Only push to Docker Hub on tag pushes (v*.* or latest)
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
     permissions:

.github/workflows/go.yml

@@ -36,3 +36,69 @@ jobs:
           files: coverage.txt
           fail_ci_if_error: false
           verbose: true
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23"
+          cache: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image for testing
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          load: true
+          tags: selfhost_s3:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Start selfhost_s3 container
+        run: |
+          docker run -d \
+            --name selfhost_s3-test \
+            -p 9000:9000 \
+            -e S3_BUCKET=test-bucket \
+            -e S3_ACCESS_KEY=testkey \
+            -e S3_SECRET_KEY=testsecret \
+            -e S3_PORT=9000 \
+            -e S3_REGION=us-east-1 \
+            selfhost_s3:test
+
+      - name: Wait for selfhost_s3 to be ready
+        run: |
+          echo "Waiting for selfhost_s3 to be ready..."
+          for i in {1..30}; do
+            if curl -f http://localhost:9000/health > /dev/null 2>&1; then
+              echo "selfhost_s3 is ready!"
+              break
+            fi
+            echo "Waiting for selfhost_s3... ($i/30)"
+            sleep 2
+          done
+          # Final check
+          curl -f http://localhost:9000/health || exit 1
+
+      - name: Run integration tests
+        run: |
+          go test -race -timeout=5m ./integration/... -v
+
+      - name: Show container logs on failure
+        if: failure()
+        run: docker logs selfhost_s3-test
+
+      - name: Cleanup
+        if: always()
+        run: docker rm -f selfhost_s3-test || true

README.md

@@ -12,6 +12,9 @@ A minimal S3-compatible object storage server written in Go that persists files
 
 - S3-compatible API (AWS Signature V4 authentication)
 - Local filesystem storage
+- Public file access (optional prefix-based)
+- Download mode with `?download=1` query parameter
+- Configurable cache headers for public files
 - Single binary, no dependencies
 - Multi-platform Docker images (amd64, arm64)
 
@@ -91,16 +94,18 @@ export S3_SECRET_KEY=mysecretkey
 
 selfhost_s3 is configured via environment variables:
 
-| Variable           | Required | Default     | Description                            |
-| ------------------ | -------- | ----------- | -------------------------------------- |
-| `S3_BUCKET`        | Yes      | -           | S3 bucket name                         |
-| `S3_ACCESS_KEY`    | Yes      | -           | Access key for authentication          |
-| `S3_SECRET_KEY`    | Yes      | -           | Secret key for authentication          |
-| `S3_PORT`          | No       | `9000`      | Port to listen on                      |
-| `S3_STORAGE_PATH`  | No       | `./data`    | Local directory for file storage       |
-| `S3_REGION`        | No       | `us-east-1` | AWS region (for signature validation)  |
-| `S3_CORS_ORIGINS`  | No       | `*`         | Allowed CORS origins (comma-separated) |
-| `S3_MAX_FILE_SIZE` | No       | `100MB`     | Maximum upload file size               |
+| Variable                 | Required | Default      | Description                                      |
+| ------------------------ | -------- | ------------ | ------------------------------------------------ |
+| `S3_BUCKET`              | Yes      | -            | S3 bucket name                                   |
+| `S3_ACCESS_KEY`          | Yes      | -            | Access key for authentication                    |
+| `S3_SECRET_KEY`          | Yes      | -            | Secret key for authentication                    |
+| `S3_PORT`                | No       | `9000`       | Port to listen on                                |
+| `S3_STORAGE_PATH`        | No       | `./data`     | Local directory for file storage                 |
+| `S3_REGION`              | No       | `us-east-1`  | AWS region (for signature validation)            |
+| `S3_CORS_ORIGINS`        | No       | `*`          | Allowed CORS origins (comma-separated)           |
+| `S3_MAX_FILE_SIZE`       | No       | `100MB`      | Maximum upload file size                         |
+| `S3_PUBLIC_PREFIX`       | No       | `public/`    | Prefix for public files (empty string disables)  |
+| `S3_PUBLIC_CACHE_MAX_AGE`| No       | `31536000`   | Cache-Control max-age for public files (seconds) |
 
 ## Docker Hub
 
@@ -140,6 +145,67 @@ data/
 - **Files**: Stored at `{storage_path}/{bucket}/{key}`
 - **Folders**: Represented as empty files with keys ending in `/`
 
+## Public Access
+
+selfhost_s3 supports serving files publicly without authentication. By default, files under the `public/` prefix are accessible via GET and HEAD requests without AWS Signature V4 authentication.
+
+### How It Works
+
+- The `public/` directory is automatically created on server startup
+- GET and HEAD requests to paths starting with the public prefix skip authentication
+- PUT and DELETE operations still require authentication (only uploads/deletes are protected)
+- Public files include `Cache-Control` headers for CDN/browser caching
+
+### Public File URLs
+
+Files in the public prefix can be accessed directly via browser:
+
+```
+http://localhost:9000/my-bucket/public/images/logo.png
+http://localhost:9000/my-bucket/public/documents/report.pdf
+```
+
+### Download Mode
+
+Add `?download=1` to force the browser to download the file instead of displaying it:
+
+```
+http://localhost:9000/my-bucket/public/report.pdf?download=1
+```
+
+This sets the `Content-Disposition: attachment` header with the filename.
+
+### Configuration Examples
+
+**Custom public prefix:**
+```bash
+S3_PUBLIC_PREFIX=assets/  # Files under assets/ are public
+```
+
+**Disable public access entirely:**
+```bash
+S3_PUBLIC_PREFIX=  # Empty string disables public access
+```
+
+**Custom cache duration (1 hour):**
+```bash
+S3_PUBLIC_CACHE_MAX_AGE=3600
+```
+
+**Disable caching:**
+```bash
+S3_PUBLIC_CACHE_MAX_AGE=0
+```
+
+### Security Recommendations
+
+When exposing files publicly:
+
+1. **Use a reverse proxy** (nginx, Caddy, Traefik) in front of selfhost_s3 for SSL/TLS
+2. **Restrict CORS origins** in production: `S3_CORS_ORIGINS=https://yourdomain.com`
+3. **Consider a CDN** for frequently accessed public files
+4. **Validate uploads** in your application before storing files in the public prefix
+
 ## CORS
 
 Since browser clients connect directly to selfhost_s3, CORS headers are automatically included: