File Storage — Support signed, time-limited access to task PDFs

[TheRealSeber]

Title
File Storage: Enable signed, time-limited access for task description PDFs

Description
File storage must support signed URLs that allow temporary, unauthenticated access to individual PDF files.
Storage itself should not perform user authentication — only signature and expiration validation.

Context / Motivation

• PDFs are accessed by clients via URLs generated by the backend

• Storage must be able to validate:

  • Signature authenticity
  • Expiration timestamp
  • HTTP method (GET only)

• This allows scalable, secure file delivery without backend involvement

Requirements

• Storage must:

  • Validate cryptographic signatures generated by backend
  • Enforce expiration timestamps
  • Reject expired or tampered URLs with 403
  • Serve files only over HTTPS

• Signed URLs must:

  • Be scoped to a specific object path
  • Not allow listing, overwrite, or deletion

• Support CDN caching if applicable (signature in query params)

Non-Requirements

• No user/session authentication at storage level
• No cookies or custom auth headers
• No long-lived or public URLs

Security Considerations

• Use HMAC or provider-native signing mechanism
• Signing keys must be securely stored and rotated
• Storage access logs should include signature validation failures

Acceptance Criteria

• Valid signed URL → PDF is returned
• Expired or modified URL → 403 Forbidden
• URL without signature → 403 Forbidden
• Only GET requests are allowed

Notes

• Prefer built-in mechanisms (e.g. S3 pre-signed URLs, GCS signed URLs, Azure SAS)
• TTL should align with backend configuration