Problem
The volunteer document storage flow is entirely mocked:
upload-meta route (doc.routes.ts:88) returns fake S3 credentials (FAKE_POLICY, FAKE_CREDENTIAL, FAKE_SIGNATURE) pointing to the local mock endpoint
getDocumentUrl() (for-routes.ts:757) always returns a hardcoded URL to test_pdf.pdf on CloudFront regardless of the stored s3Key
This means coordinator-uploaded documents (Führungszeugnis, passport copies, measles vaccine proof) are not actually stored in or retrieved from S3.
Needed
- Implement real AWS S3 presigned POST URL generation in
upload-meta using @aws-sdk/s3-presigned-post or @aws-sdk/client-s3 (createPresignedPost)
- Implement real presigned GET URL generation in
getDocumentUrl() using getSignedUrl + GetObjectCommand, with a short expiry (e.g. 5 minutes) so documents can't be shared via URL
- Remove the
s3-upload-mock route from production (gate it on isDev or delete it)
- Add
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_S3_BUCKET_NAME to .env.example with descriptions
GDPR relevance
Without this, sensitive volunteer documents are not being stored securely in S3. The existing document deletion endpoints also reference volunteerId but not the actual S3 key, so files would be orphaned in S3 even if the DB record is deleted.
Context
Part of pre-NGO-onboarding security audit.
Problem
The volunteer document storage flow is entirely mocked:
upload-metaroute (doc.routes.ts:88) returns fake S3 credentials (FAKE_POLICY,FAKE_CREDENTIAL,FAKE_SIGNATURE) pointing to the local mock endpointgetDocumentUrl()(for-routes.ts:757) always returns a hardcoded URL totest_pdf.pdfon CloudFront regardless of the storeds3KeyThis means coordinator-uploaded documents (Führungszeugnis, passport copies, measles vaccine proof) are not actually stored in or retrieved from S3.
Needed
upload-metausing@aws-sdk/s3-presigned-postor@aws-sdk/client-s3(createPresignedPost)getDocumentUrl()usinggetSignedUrl+GetObjectCommand, with a short expiry (e.g. 5 minutes) so documents can't be shared via URLs3-upload-mockroute from production (gate it onisDevor delete it)AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION,AWS_S3_BUCKET_NAMEto.env.examplewith descriptionsGDPR relevance
Without this, sensitive volunteer documents are not being stored securely in S3. The existing document deletion endpoints also reference
volunteerIdbut not the actual S3 key, so files would be orphaned in S3 even if the DB record is deleted.Context
Part of pre-NGO-onboarding security audit.