Ambrose Chua
32d5b985b4
|
||
|---|---|---|
| build | ||
| cmd | ||
| deployments | ||
| internal/httphelpers | ||
| pkg | ||
| web | ||
| .dockerignore | ||
| .gitignore | ||
| README.md | ||
| Tiltfile | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
README.md
photos
A photo bucket management suite.
Bucket Format
photo/[filename]- Original photo. Name conflict resolution (excluding extension) must be handled client-side.
preview/[filename]_h[height]q[quality].[format]- Preview photos at lower resolutions and quality.
- Generator: preview
photometadata/[filename]/size- Original photo size, JSON
- Generator: preview
photometadata/[filename]/date- Original photo date taken, unix timestamp
- Generator: preview
photometadata/[filename]/title- Photo title
photometadata/[filename]/tags- Photo tags
metadata/title- Photo album title
metadata/description- Photo album description, markdown
metadata/ordering- Manual sort ordering, newline separated
internal/control- Access control settings, JSON
admin
- Standalone tool to manage an S3-like account
- In-browser handling of:
- ListBuckets
- MakeBucket
- RemoveBucket
- Setup photo bucket
- Uploads initial metadata
- SetBucketPolicy that matches
- Adds credentials to database.
- Disconnect photo bucket
- Removes credentials from database
- In-browser handling of:
Operations
PUT /credential?bucket=BUCKET
- Ensure credentials work on BUCKET
- Write credentials to KV store
DELETE /credential?bucket=BUCKET
- Ensure credentials work on BUCKET
- Write credentials to KV store
Data
Credentials must be passed as:
{
"access_key": string,
"secret_key": string,
"region": string
}
control
Implement access controls by signing requests, using credentials in database.
Operations
GET /sign?bucket=BUCKET&token=TOKEN&request=REQUEST
- Consult the bucket for
metadata/controlwith credentials - Get read access method for the bucket
- Validate the token against the access method
- Validate REQUEST is an acceptable request
- ListObjectsV2, GetObject
- Not
internal/
- If necessary, presign an object URL for 4 days
- Cache presigned URLs for 2 days in memory/Redis
- 307 redirect to presigned URL
PUT /sign?bucket=BUCKET&token=TOKEN&request=REQUEST
- Consult the bucket for
metadata/controlwith credentials - Get write access method for the bucket
- Validate the token against the access method
- Validate REQUEST is an acceptable request
- PutObject
- Not
internal/
- If necessary, presign an object URL for 30 minutes
- 307 redirect to presigned URL
DELETE /sign?bucket=BUCKET&token=TOKEN&request=REQUEST
- Consult the bucket for
metadata/controlwith credentials - Get write access method for the bucket
- Validate the token against the access method
- Validate REQUEST is an acceptable request
- RemoveObject
- Not
internal/
- If necessary, presign an object URL for 30 minutes
- 307 redirect to presigned URL
Authentication
Token
The read/write token is checked against a simple string defined in the bucket.
OpenID Connect
Recommended IDP: dex
The read/write operation is gated by a signed key corresponding to allowed users defined in the bucket.
web
Generates the web interface for a photo bucket. Also serves up the shared assets.
Operations
POST /update?bucket=BUCKET
Regenerate and upload index.html and manage/index.html to bucket.
preview
Generate previews from photo buckets.
Operations
POST /update?bucket=BUCKET&photo=OBJECT
- Perform preview generation using libvips (maybe limit?)
- Block until done
proxy
Reverse proxies buckets to the MinIO endpoint, as a substitute for AWS S3 website hosting features. Serves up index.html when URLs end in a slash.
In production, replace this with Nginx.