Future Work

Upload Auth (Planned)

Status: Not yet implemented. This page describes the planned design.

Currently all BSS upload endpoints are public — anyone who knows the BSS URL can upload files. This needs to be locked down with the same presigned URL pattern used for Lambda triggers.

Current State (Insecure)

CLI ──→ POST /videos/upload/multipart/init { owner, project, hash }
        (no auth — public endpoint)

Any client can upload to any owner/project namespace without authentication.

Planned Design

DreamLake Server issues presigned upload URLs. The CLI requests them before starting the upload, then uses the signed URLs for all BSS multipart operations.

Flow

CLI                        DreamLake Server                BSS
 │                              │                           │
 ├─ POST /uploads/init ───────→│                           │
 │  { namespace, space,         │                           │
 │    filename, hash,           │                           │
 │    contentType }             │                           │
 │  (dreamlake JWT)             │                           │
 │                              ├─ Verify user owns ns      │
 │                              ├─ Generate presigned URLs  │
 │←── { initUrl, partsUrl,  ───│                           │
 │      completeUrl }           │                           │
 │                              │                           │
 ├─ POST initUrl ──────────────────────────────────────────→│
 │  (presigned, no auth)        │                           │
 │←── { uploadId, key } ───────────────────────────────────│
 │                              │                           │
 ├─ POST partsUrl ─────────────────────────────────────────→│
 │←── { parts: presigned S3 URLs } ────────────────────────│
 │                              │                           │
 ├─ PUT to S3 URLs ────────────────────────────────────────→│ S3
 │                              │                           │
 ├─ POST completeUrl ──────────────────────────────────────→│
 │←── { success } ─────────────────────────────────────────│

What Gets Signed

Each presigned URL is scoped to a specific owner/project/hash:

sig = HMAC-SHA256(secret, "upload-init:hash={hash}&owner={owner}&project={project}:{exp}")

This prevents:

Uploading to someone else's namespace
Reusing an upload URL for a different file
Using expired URLs

Endpoints to Protect

BSS Endpoint	Presigned Action
`POST /{type}/upload/multipart/init`	`upload-init`
`POST /{type}/upload/multipart/parts`	`upload-parts`
`GET /{type}/upload/multipart/parts-done`	`upload-parts-done`
`POST /{type}/upload/multipart/complete`	`upload-complete`
`POST /{type}/upload/multipart/abort`	`upload-abort`

DreamLake Server Endpoint (New)

POST /uploads/init
Auth: JWT
Body: { namespace, space, filename, hash, contentType, type }
 
Response:
{
  "initUrl":     "http://bss/.../init?owner=X&project=Y&hash=Z&exp=T&sig=S",
  "partsUrl":    "http://bss/.../parts?owner=X&project=Y&exp=T&sig=S",
  "partsDoneUrl":"http://bss/.../parts-done?owner=X&project=Y&exp=T&sig=S",
  "completeUrl": "http://bss/.../complete?owner=X&project=Y&exp=T&sig=S"
}

Migration

BSS upload endpoints get presignMiddleware (same middleware as Lambda endpoints)
CLI adds one extra request at the start: POST /uploads/init to get presigned URLs
Backward compat: env var REQUIRE_PRESIGNED_UPLOADS=true/false for gradual rollout