fix(security): remove MinIO hardcoded credentials & add presigned URL support

- Remove hardcoded minioadmin/minioadmin_secret fallback from docker-compose.yml, require MINIO_ACCESS_KEY/MINIO_SECRET_KEY env vars (fail-fast with :? syntax) - Align docker-compose.yml env var names with .env.example (MINIO_ACCESS_KEY/SECRET_KEY) - Update CI e2e workflow to use GitHub vars with non-default fallbacks - Update .env.test to use non-default test credentials - Add @aws-sdk/s3-request-presigner and getPresignedUploadUrl() method to MinioMediaStorageService for properly signed client-side uploads - Remove hardcoded credentials from dev-environment docs Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 22:44:50 +07:00
parent 8a86cf42d4
commit 03231271ca
7 changed files with 50 additions and 9 deletions
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -72,6 +72,9 @@ importers:
      '@aws-sdk/client-s3':
        specifier: ^3.1026.0
        version: 3.1026.0
+      '@aws-sdk/s3-request-presigner':
+        specifier: ^3.1026.0
+        version: 3.1026.0
      '@goodgo/mcp-servers':
        specifier: workspace:*
        version: link:../../libs/mcp-servers
@@ -485,6 +488,10 @@ packages:
    resolution: {integrity: sha512-6Q8B1dcx6BBqUTY1Mc/eROKA0FImEEY5VPSd6AGPEUf0ErjExz4snVqa9kNJSoVDV1rKaNf3qrWojgcKW+SdDg==}
    engines: {node: '>=20.0.0'}

+  '@aws-sdk/s3-request-presigner@3.1026.0':
+    resolution: {integrity: sha512-PBVt/zb4YsJMcyB/HbGmID4RP00dTkdQGkNQiw1i6oXQ/U8hnPEI8+IvTKR4+5YEQ8Cq4QmtIV0mzv070L+oOg==}
+    engines: {node: '>=20.0.0'}
+
  '@aws-sdk/signature-v4-multi-region@3.996.16':
    resolution: {integrity: sha512-EMdXYB4r/k5RWq86fugjRhid5JA+Z6MpS7n4sij4u5/C+STrkvuf9aFu41rJA9MjUzxCLzv8U2XL8cH2GSRYpQ==}
    engines: {node: '>=20.0.0'}
@@ -505,6 +512,10 @@ packages:
    resolution: {integrity: sha512-2nUQ+2ih7CShuKHpGSIYvvAIOHy52dOZguYG36zptBukhw6iFwcvGfG0tes0oZFWQqEWvgZe9HLWaNlvXGdOrg==}
    engines: {node: '>=20.0.0'}

+  '@aws-sdk/util-format-url@3.972.9':
+    resolution: {integrity: sha512-fNJXHrs0ZT7Wx0KGIqKv7zLxlDXt2vqjx9z6oKUQFmpE5o4xxnSryvVHfHpIifYHWKz94hFccIldJ0YSZjlCBw==}
+    engines: {node: '>=20.0.0'}
+
  '@aws-sdk/util-locate-window@3.965.5':
    resolution: {integrity: sha512-WhlJNNINQB+9qtLtZJcpQdgZw3SCDCpXdUJP7cToGwHbCWCnRckGlc6Bx/OhWwIYFNAn+FIydY8SZ0QmVu3xTQ==}
    engines: {node: '>=20.0.0'}
@@ -6273,6 +6284,17 @@ snapshots:
      '@smithy/types': 4.14.0
      tslib: 2.8.1

+  '@aws-sdk/s3-request-presigner@3.1026.0':
+    dependencies:
+      '@aws-sdk/signature-v4-multi-region': 3.996.16
+      '@aws-sdk/types': 3.973.7
+      '@aws-sdk/util-format-url': 3.972.9
+      '@smithy/middleware-endpoint': 4.4.29
+      '@smithy/protocol-http': 5.3.13
+      '@smithy/smithy-client': 4.12.9
+      '@smithy/types': 4.14.0
+      tslib: 2.8.1
+
  '@aws-sdk/signature-v4-multi-region@3.996.16':
    dependencies:
      '@aws-sdk/middleware-sdk-s3': 3.972.28
@@ -6311,6 +6333,13 @@ snapshots:
      '@smithy/util-endpoints': 3.3.4
      tslib: 2.8.1

+  '@aws-sdk/util-format-url@3.972.9':
+    dependencies:
+      '@aws-sdk/types': 3.973.7
+      '@smithy/querystring-builder': 4.2.13
+      '@smithy/types': 4.14.0
+      tslib: 2.8.1
+
  '@aws-sdk/util-locate-window@3.965.5':
    dependencies:
      tslib: 2.8.1