Expose logic for buckets to parse signed urls

Author: CarsonF

src/components/file/bucket/composite-bucket.ts

@@ -5,6 +5,7 @@ import { NotFoundException } from '~/common';
 import {
   FileBucket,
   GetObjectOutput,
+  InvalidSignedUrlException,
   PutObjectInput,
   SignedOp,
 } from './file-bucket';
@@ -41,6 +42,18 @@ export class CompositeBucket extends FileBucket {
     return await source.getSignedUrl(operation, input);
   }
 
+  async parseSignedUrl(url: URL) {
+    const results = await Promise.allSettled(
+      this.sources.map(async (source) => await source.parseSignedUrl(url)),
+    );
+    for (const result of results) {
+      if (result.status === 'fulfilled') {
+        return result.value;
+      }
+    }
+    throw new InvalidSignedUrlException();
+  }
+
   async getObject(key: string): Promise<GetObjectOutput> {
     const [source] = await this.selectSource(key);
     return await source.getObject(key);

src/components/file/bucket/file-bucket.ts

@@ -5,11 +5,18 @@ import {
 } from '@aws-sdk/client-s3';
 import { RequestPresigningArguments } from '@aws-sdk/types';
 import { Type } from '@nestjs/common';
+import { MaybeAsync } from '@seedcompany/common';
 import { Command } from '@smithy/smithy-client';
 import { NodeJsRuntimeStreamingBlobPayloadInputTypes } from '@smithy/types/dist-types/streaming-payload/streaming-blob-payload-input-types';
 import { Readable } from 'stream';
-import { Except, Merge, SetNonNullable, SetRequired } from 'type-fest';
-import { DurationIn } from '~/common';
+import {
+  Except,
+  LiteralUnion,
+  Merge,
+  SetNonNullable,
+  SetRequired,
+} from 'type-fest';
+import { DurationIn, InputException, InputExceptionArgs } from '~/common';
 
 // Limit body to only `Readable` which is always the case for Nodejs execution.
 export type GetObjectOutput = Merge<AwsGetObjectOutput, { Body: Readable }>;
@@ -41,6 +48,10 @@ export abstract class FileBucket {
     operation: Type<Command<TCommandInput, any, any>>,
     input: SignedOp<TCommandInput>,
   ): Promise<string>;
+  abstract parseSignedUrl(url: URL): MaybeAsync<{
+    Key: string;
+    operation: LiteralUnion<'PutObject' | 'GetObject', string>;
+  }>;
 
   abstract getObject(key: string): Promise<GetObjectOutput>;
   abstract headObject(key: string): Promise<HeadObjectOutput>;
@@ -52,3 +63,9 @@ export abstract class FileBucket {
     await this.deleteObject(oldKey);
   }
 }
+
+export class InvalidSignedUrlException extends InputException {
+  constructor(...args: InputExceptionArgs) {
+    super(...InputException.parseArgs('Invalid signed URL', args));
+  }
+}

src/components/file/bucket/local-bucket.ts

@@ -10,10 +10,10 @@ import { DateTime, Duration } from 'luxon';
 import { URL } from 'node:url';
 import { Readable } from 'stream';
 import { assert } from 'ts-essentials';
-import { InputException } from '~/common';
 import {
   FileBucket,
   GetObjectOutput,
+  InvalidSignedUrlException,
   PutObjectInput,
   SignedOp,
 } from './file-bucket';
@@ -108,27 +108,37 @@ export abstract class LocalBucket<
     operation: Type<Command<TCommandInput, any, any>>,
     url: string,
   ): SignedOp<TCommandInput> & { Key: string } {
-    let raw;
+    let u: URL;
     try {
-      raw = new URL(url).searchParams.get('signed');
+      u = new URL(url);
     } catch (e) {
-      raw = url;
+      u = new URL('http://localhost');
+      u.searchParams.set('signed', url);
     }
-    assert(typeof raw === 'string');
-    let parsed;
     try {
-      parsed = JSON.parse(raw) as SignedOp<TCommandInput> & {
+      const parsed = this.parseSignedUrl(u) as SignedOp<TCommandInput> & {
         operation: string;
-        Key: string;
       };
       assert(parsed.operation === operation.constructor.name);
+      return parsed;
+    } catch (e) {
+      throw new InvalidSignedUrlException(e);
+    }
+  }
+
+  parseSignedUrl(url: URL) {
+    const raw = url.searchParams.get('signed');
+    let parsed;
+    try {
+      parsed = JSON.parse(raw || '') as SignedOp<{ operation: string }>;
+      assert(typeof parsed.operation === 'string');
       assert(typeof parsed.Key === 'string');
       assert(typeof parsed.signing.expiresIn === 'number');
     } catch (e) {
-      throw new InputException(e);
+      throw new InvalidSignedUrlException(e);
     }
     if (DateTime.local() > DateTime.fromMillis(parsed.signing.expiresIn)) {
-      throw new InputException('url expired');
+      throw new InvalidSignedUrlException('URL expired');
     }
     return parsed;
   }

src/components/file/bucket/readonly-bucket.ts

@@ -18,6 +18,10 @@ export class ReadonlyBucket extends FileBucket {
     return await this.source.getSignedUrl(operation, input);
   }
 
+  async parseSignedUrl(url: URL) {
+    return await this.source.parseSignedUrl(url);
+  }
+
   async getObject(key: string) {
     return await this.source.getObject(key);
   }

src/components/file/bucket/s3-bucket.ts

@@ -3,11 +3,17 @@ import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { Type } from '@nestjs/common';
 import { bufferFromStream } from '@seedcompany/common';
 import { Command } from '@smithy/smithy-client';
+import got from 'got';
 import { Duration } from 'luxon';
 import { join } from 'path/posix';
 import { Readable } from 'stream';
 import { NotFoundException } from '~/common';
-import { FileBucket, PutObjectInput, SignedOp } from './file-bucket';
+import {
+  FileBucket,
+  InvalidSignedUrlException,
+  PutObjectInput,
+  SignedOp,
+} from './file-bucket';
 
 /**
  * A bucket that actually connects to S3.
@@ -37,6 +43,25 @@ export class S3Bucket extends FileBucket {
     });
   }
 
+  async parseSignedUrl(url: URL) {
+    if (
+      !url.hostname.startsWith(this.bucket + '.') ||
+      !url.hostname.endsWith('.amazonaws.com')
+    ) {
+      throw new InvalidSignedUrlException();
+    }
+
+    try {
+      await got.head(url);
+    } catch (e) {
+      throw new InvalidSignedUrlException(e);
+    }
+
+    const Key = url.pathname.slice(1);
+    const operation = url.searchParams.get('x-id')!;
+    return { Key, operation };
+  }
+
   async getObject(key: string) {
     const file = await this.s3
       .getObject({