Merge pull request #1974 from line/feat/implement-presigned-url-download

feat: implement presigned url download

Author: jihun

GUIDE.md

@@ -23,6 +23,7 @@ To enable image uploads directly to the server, you must configure the image sto
 - `endpoint`: The endpoint URL for the storage service.
 - `region`: The region your storage service is located in.
 - `bucket`: The name of the bucket where images will be stored.
+- `enablePresignedUrlDownload`: Enable the setting to enhance download security by using the pre-signed URL feature supported by AWS S3.
 
 Depending on your use case and the desired level of access, you may need to adjust the permissions of your S3 bucket. If your application requires that the images be publicly accessible, configure your S3 bucket's policy to allow public reads.
 

apps/api/src/domains/admin/channel/channel/channel.controller.ts

@@ -14,6 +14,7 @@
  * under the License.
  */
 import {
+  BadRequestException,
   Body,
   Controller,
   Delete,
@@ -30,6 +31,7 @@ import {
   ApiCreatedResponse,
   ApiOkResponse,
   ApiParam,
+  ApiQuery,
   ApiTags,
 } from '@nestjs/swagger';
 
@@ -145,6 +147,7 @@ export class ChannelController {
       secretAccessKey,
       endpoint,
       region,
+      bucket,
     }: ImageUploadUrlTestRequestDto,
   ) {
     return {
@@ -153,7 +156,46 @@ export class ChannelController {
         secretAccessKey,
         endpoint,
         region,
+        bucket,
       }),
     };
   }
+
+  @ApiParam({ name: 'projectId', type: Number })
+  @ApiParam({ name: 'channelId', type: Number })
+  @ApiQuery({
+    name: 'imageKey',
+    type: String,
+    required: true,
+    description: 'Image Key for the pre-signed url download',
+    example: 'test-image-key.jpg',
+  })
+  @ApiOkResponse({ type: String })
+  @UseGuards(JwtAuthGuard)
+  @Get('/:channelId/image-download-url')
+  async getImageDownloadUrl(
+    @Param('projectId', ParseIntPipe) projectId: number,
+    @Param('channelId', ParseIntPipe) channelId: number,
+    @Query('imageKey') imageKey: string,
+  ) {
+    if (!imageKey) {
+      throw new BadRequestException('imageKey is required in query parameter');
+    }
+    const channel = await this.channelService.findById({ channelId });
+    if (channel.project.id !== projectId) {
+      throw new BadRequestException('Invalid channel id');
+    }
+    if (!channel.imageConfig) {
+      throw new BadRequestException('No image config in this channel');
+    }
+
+    return await this.channelService.createImageDownloadUrl({
+      accessKeyId: channel.imageConfig.accessKeyId,
+      secretAccessKey: channel.imageConfig.secretAccessKey,
+      endpoint: channel.imageConfig.endpoint,
+      region: channel.imageConfig.region,
+      bucket: channel.imageConfig.bucket,
+      imageKey,
+    });
+  }
 }

apps/api/src/domains/admin/channel/channel/channel.service.ts

@@ -14,7 +14,8 @@
  * under the License.
  */
 import {
-  ListBucketsCommand,
+  GetObjectCommand,
+  ListObjectsCommand,
   PutObjectCommand,
   S3Client,
 } from '@aws-sdk/client-s3';
@@ -26,6 +27,7 @@ import { Transactional } from 'typeorm-transactional';
 import { OpensearchRepository } from '@/common/repositories';
 import { ProjectService } from '@/domains/admin/project/project/project.service';
 import type {
+  CreateImageDownloadUrlDto,
   CreateImageUploadUrlDto,
   ImageUploadUrlTestDto,
 } from '../../feedback/dtos';
@@ -130,16 +132,34 @@ export class ChannelService {
     return await getSignedUrl(s3, command, { expiresIn: 60 * 60 });
   }
 
+  async createImageDownloadUrl(dto: CreateImageDownloadUrlDto) {
+    const { accessKeyId, secretAccessKey, endpoint, region, bucket, imageKey } =
+      dto;
+
+    const s3 = new S3Client({
+      credentials: { accessKeyId, secretAccessKey },
+      endpoint,
+      region,
+    });
+
+    const command = new GetObjectCommand({
+      Bucket: bucket,
+      Key: imageKey,
+    });
+
+    return await getSignedUrl(s3, command, { expiresIn: 60 });
+  }
+
   async isValidImageConfig(dto: ImageUploadUrlTestDto) {
-    const { accessKeyId, secretAccessKey, endpoint, region } = dto;
+    const { accessKeyId, secretAccessKey, endpoint, region, bucket } = dto;
 
     const s3 = new S3Client({
       credentials: { accessKeyId, secretAccessKey },
       endpoint,
       region,
     });
 
-    const command = new ListBucketsCommand({});
+    const command = new ListObjectsCommand({ Bucket: bucket });
 
     try {
       await s3.send(command);

apps/api/src/domains/admin/channel/channel/dtos/requests/image-config-request.dto.ts

@@ -14,7 +14,7 @@
  * under the License.
  */
 import { ApiProperty } from '@nestjs/swagger';
-import { IsString } from 'class-validator';
+import { IsBoolean, IsString } from 'class-validator';
 
 export class ImageConfigRequestDto {
   @ApiProperty()
@@ -40,4 +40,8 @@ export class ImageConfigRequestDto {
   @ApiProperty({ nullable: true, type: [String] })
   @IsString({ each: true })
   domainWhiteList: string[];
+
+  @ApiProperty({ required: false })
+  @IsBoolean()
+  enablePresignedUrlDownload: boolean;
 }

apps/api/src/domains/admin/channel/channel/dtos/responses/find-channel-by-id-response.dto.ts

@@ -37,7 +37,7 @@ export class FindChannelByIdResponseDto {
   description: string;
 
   @Expose()
-  @ApiProperty()
+  @ApiProperty({ required: false })
   imageConfig: ImageConfigResponseDto;
 
   @Expose()

apps/api/src/domains/admin/channel/channel/dtos/responses/image-config-response.dto.ts

@@ -40,4 +40,8 @@ export class ImageConfigResponseDto {
   @Expose()
   @ApiProperty()
   domainWhiteList: string[];
+
+  @Expose()
+  @ApiProperty({ required: false, type: 'boolean' })
+  enablePresignedUrlDownload: boolean | undefined;
 }

apps/api/src/domains/admin/feedback/dtos/create-image-download-url.dto.ts

@@ -0,0 +1,24 @@
+/**
+ * Copyright 2025 LY Corporation
+ *
+ * LY Corporation licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+
+export class CreateImageDownloadUrlDto {
+  accessKeyId: string;
+  secretAccessKey: string;
+  endpoint: string;
+  region: string;
+  bucket: string;
+  imageKey: string;
+}

apps/api/src/domains/admin/feedback/dtos/image-upload-url-test.dto.ts

@@ -19,4 +19,5 @@ export class ImageUploadUrlTestDto {
   secretAccessKey: string;
   endpoint: string;
   region: string;
+  bucket: string;
 }

apps/api/src/domains/admin/feedback/dtos/index.ts

@@ -19,6 +19,7 @@ export {
   CreateFeedbackOSDto,
 } from './create-feedback.dto';
 export { CreateImageUploadUrlDto } from './create-image-upload-url.dto';
+export { CreateImageDownloadUrlDto } from './create-image-download-url.dto';
 export { FindFeedbacksByChannelIdDto } from './find-feedbacks-by-channel-id.dto';
 export {
   UpdateFeedbackDto,

apps/api/src/domains/admin/feedback/feedback.mysql.service.ts

@@ -551,37 +551,46 @@ export class FeedbackMySQLService {
   async updateFeedback(dto: UpdateFeedbackMySQLDto) {
     const { feedbackId, data } = dto;
 
+    let query = `JSON_SET(IFNULL(feedbacks.data,'{}'), `;
+    const parameters: Record<string, any> = {};
+
+    if (Object.keys(data).length === 0) {
+      query = 'data';
+    } else {
+      Object.entries(data).forEach(([fieldKey, value], index) => {
+        query += `'$.${fieldKey}', `;
+        if (Array.isArray(value)) {
+          const arrayParams = value
+            .map((v, i) => {
+              const paramName = `value${index}_${i}`;
+              parameters[paramName] = v as string | number;
+              return `:${paramName}`;
+            })
+            .join(', ');
+          query += `JSON_ARRAY(${arrayParams})`;
+        } else {
+          const paramName = `value${index}`;
+          parameters[paramName] = value as string | number;
+          query += `:${paramName}`;
+        }
+
+        if (index + 1 !== Object.entries(data).length) {
+          query += ', ';
+        }
+      });
+
+      query += ')';
+    }
+
     await this.feedbackRepository
       .createQueryBuilder('feedbacks')
       .update('feedbacks')
       .set({
-        data: () => {
-          if (Object.keys(data).length === 0) {
-            return 'data';
-          }
-          let query = `JSON_SET(IFNULL(feedbacks.data,'{}'), `;
-          for (const [index, fieldKey] of Object.entries(Object.keys(data))) {
-            query += `'$.${fieldKey}',
-            ${
-              Array.isArray(data[fieldKey]) ?
-                data[fieldKey].length === 0 ?
-                  'JSON_ARRAY()'
-                : 'JSON_ARRAY("' + data[fieldKey].join('","') + '")'
-              : `:${fieldKey}`
-            }`;
-
-            if (parseInt(index) + 1 !== Object.entries(data).length) {
-              query += ',';
-            }
-          }
-          query += `)`;
-
-          return query;
-        },
+        data: () => query,
         updatedAt: () => `'${DateTime.utc().toFormat('yyyy-MM-dd HH:mm:ss')}'`,
       })
       .where('id = :feedbackId', { feedbackId })
-      .setParameters(data)
+      .setParameters(parameters)
       .execute();
   }