Skip to content

PM-5487 showcase media security#28

Merged
vas3a merged 5 commits into
devfrom
PM-5487_showcase-media-security
Jul 2, 2026
Merged

PM-5487 showcase media security#28
vas3a merged 5 commits into
devfrom
PM-5487_showcase-media-security

Conversation

@vas3a

@vas3a vas3a commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

This pull request introduces support for serving project showcase media through private S3 buckets using CloudFront Signed URLs. It adds the necessary dependencies, configuration, documentation, and code changes to generate and serve signed CloudFront URLs for media assets. Additionally, it updates tests and environment files to reflect the new setup.

CloudFront Signed URL Integration for Project Showcase Media:

1. Feature Implementation

  • The backend now uses CloudFront Signed URLs for serving project showcase media. The signCloudFrontUrl utility is called when returning media URLs, ensuring that only signed requests can access protected S3 content. (src/api/project-showcase-post/project-showcase-post.service.ts [1] [2]

2. Configuration Updates

  • New environment variables are introduced for CloudFront key pair ID, private key, and public key, with corresponding fields added to the application config. (.env.example [1] src/shared/config/app.config.ts [2]

3. Dependency Management

  • Adds @aws-sdk/cloudfront-signer and its dependencies to package.json and pnpm-lock.yaml for generating signed URLs. (package.json [1] pnpm-lock.yaml [2] [3] [4] [5] [6] [7] [8]

4. Documentation

  • Adds a comprehensive guide for setting up CloudFront Signed URLs and private S3 buckets, including AWS configuration, key management, and security best practices. (docs/projects-showcase-media.md docs/projects-showcase-media.mdR1-R273)

5. Tests and Minor Cleanups

  • Updates tests to mock the CloudFront signing utility and validate that returned media URLs are signed. Also includes minor test improvements (e.g., using BigInt for IDs, clearing mocks). (src/api/project-showcase-post/project-showcase-post.service.spec.ts [1] [2] [3] [4] [5] [6] [7] [8]
  • Removes unused code for setting the default Postgres schema in the startup script. (appStartUp.sh appStartUp.shL6-L13)

These changes collectively enable secure, signed delivery of project showcase media through CloudFront, improving both security and scalability.

@vas3a vas3a requested review from Copilot, jmgasper and kkartunov July 1, 2026 14:12
Comment thread src/shared/utils/cloudfront.utils.spec.ts Dismissed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds CloudFront Signed URL support for project showcase media, enabling private S3-backed media delivery via CloudFront while keeping URL signing on the backend.

Changes:

  • Introduces a signCloudFrontUrl utility (with key normalization) and wires it into ProjectShowcasePostService media responses.
  • Adds CloudFront signing configuration to APP_CONFIG and updates/extends unit tests to validate signed URL behavior.
  • Adds dependency (@aws-sdk/cloudfront-signer) plus documentation for AWS setup and key management.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/shared/utils/cloudfront.utils.ts Adds URL-signing helper (CloudFront signer + PEM normalization) used when returning media URLs.
src/shared/utils/cloudfront.utils.spec.ts Unit tests for the signing helper behavior when keys are present/missing.
src/shared/config/app.config.ts Adds env-driven CloudFront signing configuration fields (key pair id/key material/expiry).
src/api/project-showcase-post/project-showcase-post.service.ts Signs returned showcase media URLs via signCloudFrontUrl.
src/api/project-showcase-post/project-showcase-post.service.spec.ts Mocks signing util and updates assertions to expect signed media URLs.
package.json Adds @aws-sdk/cloudfront-signer dependency.
pnpm-lock.yaml Locks CloudFront signer deps; also includes additional unrelated lockfile changes.
docs/projects-showcase-media.md Adds end-to-end setup guide for private S3 + CloudFront Signed URLs.
.env.example Adds CloudFront showcase media key variables (example values).
appStartUp.sh Removes defaulting of POSTGRES_SCHEMA in startup script.
Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +65 to +67
} catch {
return url;
}
Comment thread .env.example Outdated
Comment thread pnpm-lock.yaml
Comment thread docs/projects-showcase-media.md

@kkartunov kkartunov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@vas3a vas3a merged commit 2a73ec1 into dev Jul 2, 2026
5 checks passed
@vas3a vas3a deleted the PM-5487_showcase-media-security branch July 2, 2026 04:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants