Ambrose Chua 32d5b985b4 | ||
---|---|---|
build | ||
cmd | ||
deployments | ||
internal/httphelpers | ||
pkg | ||
web | ||
.dockerignore | ||
.gitignore | ||
README.md | ||
Tiltfile | ||
go.mod | ||
go.sum | ||
main.go |
README.md
photos
A photo bucket management suite.
Bucket Format
photo/[filename]
- Original photo. Name conflict resolution (excluding extension) must be handled client-side.
preview/[filename]_h[height]q[quality].[format]
- Preview photos at lower resolutions and quality.
- Generator: preview
photometadata/[filename]/size
- Original photo size, JSON
- Generator: preview
photometadata/[filename]/date
- Original photo date taken, unix timestamp
- Generator: preview
photometadata/[filename]/title
- Photo title
photometadata/[filename]/tags
- Photo tags
metadata/title
- Photo album title
metadata/description
- Photo album description, markdown
metadata/ordering
- Manual sort ordering, newline separated
internal/control
- Access control settings, JSON
admin
- Standalone tool to manage an S3-like account
- In-browser handling of:
- ListBuckets
- MakeBucket
- RemoveBucket
- Setup photo bucket
- Uploads initial metadata
- SetBucketPolicy that matches
- Adds credentials to database.
- Disconnect photo bucket
- Removes credentials from database
- In-browser handling of:
Operations
PUT /credential?bucket=BUCKET
- Ensure credentials work on BUCKET
- Write credentials to KV store
DELETE /credential?bucket=BUCKET
- Ensure credentials work on BUCKET
- Write credentials to KV store
Data
Credentials must be passed as:
{
"access_key": string,
"secret_key": string,
"region": string
}
control
Implement access controls by signing requests, using credentials in database.
Operations
GET /sign?bucket=BUCKET&token=TOKEN&request=REQUEST
- Consult the bucket for
metadata/control
with credentials - Get read access method for the bucket
- Validate the token against the access method
- Validate REQUEST is an acceptable request
- ListObjectsV2, GetObject
- Not
internal/
- If necessary, presign an object URL for 4 days
- Cache presigned URLs for 2 days in memory/Redis
- 307 redirect to presigned URL
PUT /sign?bucket=BUCKET&token=TOKEN&request=REQUEST
- Consult the bucket for
metadata/control
with credentials - Get write access method for the bucket
- Validate the token against the access method
- Validate REQUEST is an acceptable request
- PutObject
- Not
internal/
- If necessary, presign an object URL for 30 minutes
- 307 redirect to presigned URL
DELETE /sign?bucket=BUCKET&token=TOKEN&request=REQUEST
- Consult the bucket for
metadata/control
with credentials - Get write access method for the bucket
- Validate the token against the access method
- Validate REQUEST is an acceptable request
- RemoveObject
- Not
internal/
- If necessary, presign an object URL for 30 minutes
- 307 redirect to presigned URL
Authentication
Token
The read/write token is checked against a simple string defined in the bucket.
OpenID Connect
Recommended IDP: dex
The read/write operation is gated by a signed key corresponding to allowed users defined in the bucket.
web
Generates the web interface for a photo bucket. Also serves up the shared assets.
Operations
POST /update?bucket=BUCKET
Regenerate and upload index.html
and manage/index.html
to bucket.
preview
Generate previews from photo buckets.
Operations
POST /update?bucket=BUCKET&photo=OBJECT
- Perform preview generation using libvips (maybe limit?)
- Block until done
proxy
Reverse proxies buckets to the MinIO endpoint, as a substitute for AWS S3 website hosting features. Serves up index.html
when URLs end in a slash.
In production, replace this with Nginx.