Skip to content

Security: document upload/download is mocked — real S3 presigned URL flow missing #724

Description

@nadavosa

Problem

The volunteer document storage flow is entirely mocked:

  • upload-meta route (doc.routes.ts:88) returns fake S3 credentials (FAKE_POLICY, FAKE_CREDENTIAL, FAKE_SIGNATURE) pointing to the local mock endpoint
  • getDocumentUrl() (for-routes.ts:757) always returns a hardcoded URL to test_pdf.pdf on CloudFront regardless of the stored s3Key

This means coordinator-uploaded documents (Führungszeugnis, passport copies, measles vaccine proof) are not actually stored in or retrieved from S3.

Needed

  1. Implement real AWS S3 presigned POST URL generation in upload-meta using @aws-sdk/s3-presigned-post or @aws-sdk/client-s3 (createPresignedPost)
  2. Implement real presigned GET URL generation in getDocumentUrl() using getSignedUrl + GetObjectCommand, with a short expiry (e.g. 5 minutes) so documents can't be shared via URL
  3. Remove the s3-upload-mock route from production (gate it on isDev or delete it)
  4. Add AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_S3_BUCKET_NAME to .env.example with descriptions

GDPR relevance

Without this, sensitive volunteer documents are not being stored securely in S3. The existing document deletion endpoints also reference volunteerId but not the actual S3 key, so files would be orphaned in S3 even if the DB record is deleted.

Context

Part of pre-NGO-onboarding security audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions