Backend — Generate short-lived signed URLs for task PDF access

[TheRealSeber]

Description
We need to allow clients to access task description PDFs stored in file storage without introducing authentication at the storage layer.
The backend will remain the single authorization point and will generate short-lived signed URLs that grant temporary, read-only access to a specific PDF.

Context / Motivation

• Task descriptions are stored as PDF files in file storage
• Clients must not have direct credentials or long-term access to storage
• Backend already authenticates users and knows which task they are allowed to access
• We want scalable file delivery without proxying files through the backend

Proposed Flow

1. Client requests task details from backend
2. Backend verifies user authorization for the task
3. Backend generates a short-lived signed URL for the task’s PDF
4. Backend returns the signed URL as part of the task response
5. Client downloads the PDF directly from file storage using the URL

Requirements

• Signed URL must:

  • Be read-only (GET only)
  • Be scoped to one specific file
  • Have a short TTL (e.g. 1–5 minutes)

• Backend must:

  • Enforce authorization before generating the URL
  • Never expose storage secret keys to clients
  • Support regeneration of URLs on demand

• URLs should be returned via JSON response (not cookies, not headers)

API Example

GET /api/v1/tasks/{taskId}

Response:

{
  "taskId": "123",
  "title": "Example task",
  "descriptionPdfUrl": "https://storage.example.com/…signed…"
}

Acceptance Criteria

• Unauthorized users cannot obtain signed URLs
• Signed URLs expire and return 403 after TTL
• Backend does not proxy or stream PDF contents
• No storage credentials are exposed to frontend

Notes

• Prefer native signed-URL support from the storage provider if available
• TTL should be configurable via environment/config