Chore: add expiry to signed item urls

djoamersfoort · Jan 23, 2024 · a454a3e · a454a3e
1 parent b481682
commit a454a3e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/api/app/db/crud.py b/api/app/db/crud.py
@@ -38,12 +38,13 @@ def sign_url(url: str):
 
 def sign_item(item_data: models.Item):
     item = schemas.Item.model_validate(item_data)
+    expiry = (datetime.datetime.now() + datetime.timedelta(days=1)).timestamp()
 
     item.cover_path = sign_url(
-        f"{settings.base_url}/items/{item_data.album_id}/{item.id}/cover"
+        f"{settings.base_url}/items/{item_data.album_id}/{item.id}/{expiry}/cover"
     )
     item.path = sign_url(
-        f"{settings.base_url}/items/{item_data.album_id}/{item.id}/full"
+        f"{settings.base_url}/items/{item_data.album_id}/{item.id}/{expiry}/full"
     )
 
     return item

diff --git a/api/app/main.py b/api/app/main.py
@@ -1,3 +1,4 @@
+from datetime import datetime
 from functools import lru_cache
 from typing import Annotated
 from uuid import UUID
@@ -144,26 +145,30 @@ async def upload_items(
     return await crud.create_item(db, user, items, album_id)
 
 
-@app.get("/items/{album_id}/{item_id}/full", include_in_schema=False)
+@app.get("/items/{album_id}/{item_id}/{expiry}/full", include_in_schema=False)
 async def get_item(
-    album_id: UUID, item_id: UUID, signature: str, db: Session = Depends(get_db)
+    album_id: UUID, item_id: UUID, signature: str, expiry: float, db: Session = Depends(get_db)
 ):
     if not verify_signature(
-        f"{settings.base_url}/items/{album_id}/{item_id}/full", signature
+        f"{settings.base_url}/items/{album_id}/{item_id}/{expiry}/full", signature
     ):
         return None
+    if datetime.now().timestamp() > expiry:
+        return None
 
     return crud.get_full(db, item_id)
 
 
-@app.get("/items/{album_id}/{item_id}/cover", include_in_schema=False)
+@app.get("/items/{album_id}/{item_id}/{expiry}/cover", include_in_schema=False)
 async def get_cover(
-    album_id: UUID, item_id: UUID, signature: str, db: Session = Depends(get_db)
+    album_id: UUID, item_id: UUID, signature: str, expiry: float, db: Session = Depends(get_db)
 ):
     if not verify_signature(
-        f"{settings.base_url}/items/{album_id}/{item_id}/cover", signature
+        f"{settings.base_url}/items/{album_id}/{item_id}/{expiry}/cover", signature
     ):
         return None
+    if datetime.now().timestamp() > expiry:
+        return None
 
     return crud.get_cover(db, item_id)