photos
/
photos
1
0
Fork 0
Code Issues 7 Releases Activity
13 Commits
1 Branch
0 Tags
599 KiB
Go 56.9%
JavaScript 21.1%
Svelte 7.7%
CSS 4%
HTML 3.1%
Other 7.2%
 
 
 
 
 
 
Go to file
Ambrose Chua 787e025a1f
Working web render for public albums 		2020-05-31 21:51:09 +08:00
cmd Working web render for public albums 2020-05-31 21:51:09 +08:00
internal Implement unauthenticated access control 2020-05-31 18:25:11 +08:00
pkg/bucket Working web render for public albums 2020-05-31 21:51:09 +08:00
web Working web render for public albums 2020-05-31 21:51:09 +08:00
.gitignore Implement unauthenticated access control 2020-05-31 18:25:11 +08:00
README.md Implement unauthenticated access control 2020-05-31 18:25:11 +08:00
go.mod Working web render for public albums 2020-05-31 21:51:09 +08:00
go.sum Working web render for public albums 2020-05-31 21:51:09 +08:00
main.go More planning 2020-05-26 12:45:55 +08:00

README.md

photos

A photo bucket management suite.

There are two modes of operation:

  • Domain
    • Buckets are exactly equal to their domain names
    • unset MINIO_DOMAIN
  • Subdomain
    • Buckets are named after subdomains
    • export MINIO_DOMAIN=your.domain

admin

Create new buckets. Standalone tool.

control

Implement access controls by signing or proxying requests.

Operations

GET /list?bucket=BUCKET&auth=TOKEN

  1. Consult the bucket for metadata.json
  2. Get list access method for the bucket
  3. Validate the token against the access method
  4. Return ListObjectsV2 for prefix photo/
    • Can also 307 redirect to the bucket read URL, if is public readable

GET /read?bucket=BUCKET&auth=TOKEN&object=OBJECTNAME

  1. Consult the bucket for metadata.json
  2. Get read access method for the bucket
  3. Validate the token against the access method
  4. Validate that OBJECTNAME starts with photo/
  5. If necessary, presign an object URL for 4 days
    • Cache presigned URLs for 2 days in memory/Redis
  6. 307 redirect to presigned URL

PUT /write?bucket=BUCKET&auth=TOKEN&object=OBJECTNAME

  1. Consult the bucket for metadata.json
  2. Get write access method for the bucket
  3. Validate the token against the access method
  4. Validate that OBJECTNAME starts with photo/
  5. If necessary, presign an object URL for 30 minutes
  6. 307 redirect to presigned URL

Authentication

Token

The read/write token is checked against a simple string defined in the bucket.

OpenID Connect

Recommended IDP: dex

The read/write operation is gated by a signed key corresponding to allowed users defined in the bucket.

web

Generates the web interface for a photo bucket. Also updates the shared asset bucket on start.

Operations

POST /webhook

POST /update?bucket=BUCKET

Regenerate and upload index.html and manage/index.html to bucket.

preview

Generate previews from photo buckets. Registers webhooks.

Operations

POST /webhook

POST /update?bucket=BUCKET&photo=OBJECT

  1. Perform preview generation using libvips (maybe limit?)
  2. Block until done

proxy

Reverse proxies buckets to the minio endpoint, as a substitute for the AWS S3 website hosting features. Serves up index.html when URLs end in a slash.