✨(backend) add authenticated recording file access method

Implement secure recording file access through authentication instead of exposing S3 bucket or using temporary signed links with loose permissions. Inspired by docs and @spaccoud's implementation, with comprehensive viewset checks to prevent unauthorized recording downloads. The ingress reserved to media intercept the original request, and thanks to Nginx annotations, check with the backend if the user is allowed to donwload this recording file. This might introduce a dependency to Nginx in the project by the way. Note: Tests are integration-based rather than unit tests, requiring minio in the compose stack and CI environment. Implementation includes known botocore deprecation warnings that per GitHub issues won't be resolved for months.
2025-04-14 16:41:49 +02:00
parent dc06b55693
commit 41c1f41ed2
13 changed files with 690 additions and 29 deletions
--- a/.github/workflows/meet.yml
+++ b/.github/workflows/meet.yml
@@ -135,6 +135,9 @@ jobs:
      STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
      LIVEKIT_API_SECRET: secret
      LIVEKIT_API_KEY: devkey
+      AWS_S3_ENDPOINT_URL: http://localhost:9000
+      AWS_S3_ACCESS_KEY_ID: meet
+      AWS_S3_SECRET_ACCESS_KEY: password

    steps:
      - name: Checkout repository
@@ -152,6 +155,33 @@ jobs:
          path: "src/backend/core/templates/mail"
          key: mail-templates-${{ hashFiles('src/mail/mjml') }}

+      - name: Start MinIO
+        run: |
+          docker pull minio/minio
+          docker run -d --name minio \
+            -p 9000:9000 \
+            -e "MINIO_ACCESS_KEY=meet" \
+            -e "MINIO_SECRET_KEY=password" \
+            -v /data/media:/data \
+            minio/minio server --console-address :9001 /data
+
+      # Tool to wait for a service to be ready
+      - name: Install Dockerize
+        run: |
+          curl -sSL https://github.com/jwilder/dockerize/releases/download/v0.8.0/dockerize-linux-amd64-v0.8.0.tar.gz | sudo tar -C /usr/local/bin -xzv
+
+      - name: Wait for MinIO to be ready
+        run: |
+          dockerize -wait tcp://localhost:9000 -timeout 10s
+
+      - name: Configure MinIO
+        run: |
+          MINIO=$(docker ps | grep minio/minio | sed -E 's/.*\s+([a-zA-Z0-9_-]+)$/\1/')
+          docker exec ${MINIO} sh -c \
+            "mc alias set meet http://localhost:9000 meet password && \
+            mc alias ls && \
+            mc mb meet/meet-media-storage"
+
      - name: Install Python
        uses: actions/setup-python@v5
        with: