s3 bucket ploy

app/controllers/apis_controller.rb

@@ -19,8 +19,11 @@ class ApisController < ApplicationController
       basename = File.basename(file.path)
       o = bucket.objects[basename]
       out = o.write(:file => file.path)
+      # TODO rename file name
 
-      s3_file_urls << out.url_for(:read, expireds: 60).to_s
+      # http://soplana.hateblo.jp/entry/%E2%96%A0
+
+      s3_file_urls << out.url_for(:read).to_s
     end
 
     render json: { status: 'OK', urls: s3_file_urls }

config/aws-s3-bucket-policy.json

+{
+  "Version": "2012-10-17",
+  "Id": "Rendezvous http referer policy",
+  "Statement": [
+    {
+      "Sid": "Allow get requests referred by rendezvous",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::rendezvous-uploads/*",
+      "Condition": {
+        "StringLike": {
+          "aws:Referer": [
+            "http://localhost:3000/*",
+            "http://rendezvous.*"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::rendezvous-uploads/*",
+      "Condition": {
+        "StringNotLike": {
+          "aws:Referer": [
+            "http://localhost:3000/*",
+            "http://rendezvous.*"
+          ]
+        }
+      }
+    }
+  ]
+}

config/settings.yml.example

@@ -6,6 +6,7 @@ defaults: &defaults
   google_api:
     client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"
     secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    bucket_name: "xxxxxxxxxxxxxx"
 
 development:
   <<: *defaults