From a454a3e2bb7833de4a85e538ddb7b0cbe16a0cec Mon Sep 17 00:00:00 2001 From: sverben <59171289+sverben@users.noreply.github.com> Date: Tue, 23 Jan 2024 13:30:10 +0100 Subject: [PATCH] Chore: add expiry to signed item urls --- api/app/db/crud.py | 5 +++-- api/app/main.py | 17 +++++++++++------ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/api/app/db/crud.py b/api/app/db/crud.py index 6f791d2..dbaf90d 100644 --- a/api/app/db/crud.py +++ b/api/app/db/crud.py @@ -38,12 +38,13 @@ def sign_url(url: str): def sign_item(item_data: models.Item): item = schemas.Item.model_validate(item_data) + expiry = (datetime.datetime.now() + datetime.timedelta(days=1)).timestamp() item.cover_path = sign_url( - f"{settings.base_url}/items/{item_data.album_id}/{item.id}/cover" + f"{settings.base_url}/items/{item_data.album_id}/{item.id}/{expiry}/cover" ) item.path = sign_url( - f"{settings.base_url}/items/{item_data.album_id}/{item.id}/full" + f"{settings.base_url}/items/{item_data.album_id}/{item.id}/{expiry}/full" ) return item diff --git a/api/app/main.py b/api/app/main.py index d90ad02..6e59ca4 100644 --- a/api/app/main.py +++ b/api/app/main.py @@ -1,3 +1,4 @@ +from datetime import datetime from functools import lru_cache from typing import Annotated from uuid import UUID @@ -144,26 +145,30 @@ async def upload_items( return await crud.create_item(db, user, items, album_id) -@app.get("/items/{album_id}/{item_id}/full", include_in_schema=False) +@app.get("/items/{album_id}/{item_id}/{expiry}/full", include_in_schema=False) async def get_item( - album_id: UUID, item_id: UUID, signature: str, db: Session = Depends(get_db) + album_id: UUID, item_id: UUID, signature: str, expiry: float, db: Session = Depends(get_db) ): if not verify_signature( - f"{settings.base_url}/items/{album_id}/{item_id}/full", signature + f"{settings.base_url}/items/{album_id}/{item_id}/{expiry}/full", signature ): return None + if datetime.now().timestamp() > expiry: + return None return crud.get_full(db, item_id) -@app.get("/items/{album_id}/{item_id}/cover", include_in_schema=False) +@app.get("/items/{album_id}/{item_id}/{expiry}/cover", include_in_schema=False) async def get_cover( - album_id: UUID, item_id: UUID, signature: str, db: Session = Depends(get_db) + album_id: UUID, item_id: UUID, signature: str, expiry: float, db: Session = Depends(get_db) ): if not verify_signature( - f"{settings.base_url}/items/{album_id}/{item_id}/cover", signature + f"{settings.base_url}/items/{album_id}/{item_id}/{expiry}/cover", signature ): return None + if datetime.now().timestamp() > expiry: + return None return crud.get_cover(db, item_id)