Custom Derivation Endpoint URL Signer

We are using Shrine with the derivation endpoint plugin to process on-the-fly our attachments and we are using CloudFront host to cache our derivations.

We would like to have signed URLs but the default Shrine signer isn’t working well with a CDN setup has the cache will be expired as soon the URL will change, what we need is the URL signature verification to be handled by the CDN directly so our URL expiration is properly enforced without invalidation the cached assets.

As the signature is handled by the CDN we also need to skip the signature validation at the Rails endpoint level.

I was able to overwrite all that logic quite easily but supporting a custom signer option would make it much easier.

Here our overwrite:

    class Shrine::Derivation::Url < Shrine::Derivation::Command
      def call(host:, prefix: nil, expires_in:, **options)
        url = [host, *prefix, identifier(**options)].join("/")

        # Generate CloudFront signed URL
        signer = Aws::CloudFront::UrlSigner.new(
          key_pair_id: ENV['CLOUDFRONT_KEY_PAIR_ID'],
          private_key: ENV['CLOUDFRONT_PRIVATE_KEY'])
        signer.signed_url(url,
          expires: (Time.current + expires_in).to_i)
      end

      private

      # Skip Shrine URL signer
      def signed_url(url); url end
    end

    # Skip Shrine URL verification
    class Shrine::UrlSigner
      def verify_url(url); end
    end  

What would be nice is a way to just send a signer: option to the plugin, that will automatically disable the URL verification on Shrine as well.

Something like:

  require 'aws-sdk-cloudfront'
  signer = Aws::CloudFront::UrlSigner.new(
    key_pair_id: ENV['CLOUDFRONT_KEY_PAIR_ID'],
    private_key: ENV['CLOUDFRONT_PRIVATE_KEY'])

  Shrine.plugin :derivation_endpoint,
    host: ENV['CLOUDFRONT_HOST'],
    signer: -> (url, expires_in:) { 
      signer.signed_url(url, expires: (Time.current + expires_in).to_i))
    }

What do you think? I’m wondering how people are using the Shrine signer expiration with a CDN.

Hi, sorry for the delay again. Ability to pass a custom signer sounds good to me, would you like to send in a pull request?

Hi @janko, I gave it a try on [PR #549], how does that look to you?