activestorage 5.2.4.4 → 6.1.1

data/app/controllers/active_storage/base_controller.rb

@@ -1,10 +1,19 @@
 # frozen_string_literal: true
 
-# The base controller for all ActiveStorage controllers.
+# The base class for all Active Storage controllers.
 class ActiveStorage::BaseController < ActionController::Base
+  include ActiveStorage::SetCurrent
+
   protect_from_forgery with: :exception
 
-  before_action do
-    ActiveStorage::Current.host = request.base_url
-  end
+  self.etag_with_template_digest = false
+
+  private
+    def stream(blob)
+      blob.download do |chunk|
+        response.stream.write chunk
+      end
+    ensure
+      response.stream.close
+    end
 end

data/app/controllers/active_storage/blobs/proxy_controller.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# Proxy files through application. This avoids having a redirect and makes files easier to cache.
+class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
+  include ActiveStorage::SetBlob
+  include ActiveStorage::SetHeaders
+
+  def show
+    http_cache_forever public: true do
+      set_content_headers_from @blob
+      stream @blob
+    end
+  end
+end

data/app/controllers/active_storage/{blobs_controller.rb → blobs/redirect_controller.rb}

@@ -4,11 +4,11 @@
 # Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
 # security-through-obscurity factor of the signed blob references, you'll need to implement your own
 # authenticated redirection controller.
-class ActiveStorage::BlobsController < ActiveStorage::BaseController
+class ActiveStorage::Blobs::RedirectController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
 
   def show
-    expires_in ActiveStorage::Blob.service.url_expires_in
-    redirect_to @blob.service_url(disposition: params[:disposition])
+    expires_in ActiveStorage.service_urls_expire_in
+    redirect_to @blob.url(disposition: params[:disposition])
   end
 end

data/app/controllers/active_storage/direct_uploads_controller.rb

@@ -5,13 +5,13 @@
 # the blob that was created up front.
 class ActiveStorage::DirectUploadsController < ActiveStorage::BaseController
   def create
-    blob = ActiveStorage::Blob.create_before_direct_upload!(blob_args)
+    blob = ActiveStorage::Blob.create_before_direct_upload!(**blob_args)
     render json: direct_upload_json(blob)
   end
 
   private
     def blob_args
-      params.require(:blob).permit(:filename, :byte_size, :checksum, :content_type, :metadata).to_h.symbolize_keys
+      params.require(:blob).permit(:filename, :byte_size, :checksum, :content_type, metadata: {}).to_h.symbolize_keys
     end
 
     def direct_upload_json(blob)

data/app/controllers/active_storage/disk_controller.rb

@@ -3,56 +3,47 @@
 # Serves files stored with the disk service in the same way that the cloud services do.
 # This means using expiring, signed URLs that are meant for immediate access, not permanent linking.
 # Always go through the BlobsController, or your own authenticated controller, rather than directly
-# to the service url.
+# to the service URL.
 class ActiveStorage::DiskController < ActiveStorage::BaseController
+  include ActiveStorage::FileServer
+
   skip_forgery_protection
 
   def show
     if key = decode_verified_key
-      serve_file disk_service.path_for(key[:key]), content_type: key[:content_type], disposition: key[:disposition]
+      serve_file named_disk_service(key[:service_name]).path_for(key[:key]), content_type: key[:content_type], disposition: key[:disposition]
     else
       head :not_found
     end
+  rescue Errno::ENOENT
+    head :not_found
   end
 
   def update
     if token = decode_verified_token
       if acceptable_content?(token)
-        disk_service.upload token[:key], request.body, checksum: token[:checksum]
-        head :no_content
+        named_disk_service(token[:service_name]).upload token[:key], request.body, checksum: token[:checksum]
       else
         head :unprocessable_entity
       end
+    else
+      head :not_found
     end
   rescue ActiveStorage::IntegrityError
     head :unprocessable_entity
   end
 
   private
-    def disk_service
-      ActiveStorage::Blob.service
+    def named_disk_service(name)
+      ActiveStorage::Blob.services.fetch(name) do
+        ActiveStorage::Blob.service
+      end
     end
 
-
     def decode_verified_key
       ActiveStorage.verifier.verified(params[:encoded_key], purpose: :blob_key)
     end
 
-    def serve_file(path, content_type:, disposition:)
-      Rack::File.new(nil).serving(request, path).tap do |(status, headers, body)|
-        self.status = status
-        self.response_body = body
-
-        headers.each do |name, value|
-          response.headers[name] = value
-        end
-
-        response.headers["Content-Type"] = content_type || DEFAULT_SEND_FILE_TYPE
-        response.headers["Content-Disposition"] = disposition || DEFAULT_SEND_FILE_DISPOSITION
-      end
-    end
-
-
     def decode_verified_token
       ActiveStorage.verifier.verified(params[:encoded_token], purpose: :blob_token)
     end

data/app/controllers/active_storage/representations/proxy_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Proxy files through application. This avoids having a redirect and makes files easier to cache.
+class ActiveStorage::Representations::ProxyController < ActiveStorage::BaseController
+  include ActiveStorage::SetBlob
+  include ActiveStorage::SetHeaders
+
+  def show
+    http_cache_forever public: true do
+      set_content_headers_from representation.image
+      stream representation
+    end
+  end
+
+  private
+    def representation
+      @representation ||= @blob.representation(params[:variation_key]).processed
+    end
+end

data/app/controllers/active_storage/{representations_controller.rb → representations/redirect_controller.rb}

@@ -4,11 +4,11 @@
 # Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
 # security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
 # authenticated redirection controller.
-class ActiveStorage::RepresentationsController < ActiveStorage::BaseController
+class ActiveStorage::Representations::RedirectController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
 
   def show
-    expires_in ActiveStorage::Blob.service.url_expires_in
-    redirect_to @blob.representation(params[:variation_key]).processed.service_url(disposition: params[:disposition])
+    expires_in ActiveStorage.service_urls_expire_in
+    redirect_to @blob.representation(params[:variation_key]).processed.url(disposition: params[:disposition])
   end
 end

data/app/controllers/concerns/active_storage/file_server.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module ActiveStorage::FileServer # :nodoc:
+  private
+    def serve_file(path, content_type:, disposition:)
+      Rack::File.new(nil).serving(request, path).tap do |(status, headers, body)|
+        self.status = status
+        self.response_body = body
+
+        headers.each do |name, value|
+          response.headers[name] = value
+        end
+
+        response.headers["Content-Type"] = content_type || DEFAULT_SEND_FILE_TYPE
+        response.headers["Content-Disposition"] = disposition || DEFAULT_SEND_FILE_DISPOSITION
+      end
+    end
+end

data/app/controllers/concerns/active_storage/set_blob.rb

@@ -9,7 +9,7 @@ module ActiveStorage::SetBlob #:nodoc:
 
   private
     def set_blob
-      @blob = ActiveStorage::Blob.find_signed(params[:signed_blob_id] || params[:signed_id])
+      @blob = ActiveStorage::Blob.find_signed!(params[:signed_blob_id] || params[:signed_id])
     rescue ActiveSupport::MessageVerifier::InvalidSignature
       head :not_found
     end

data/app/controllers/concerns/active_storage/set_current.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Sets the <tt>ActiveStorage::Current.host</tt> attribute, which the disk service uses to generate URLs.
+# Include this concern in custom controllers that call ActiveStorage::Blob#url,
+# ActiveStorage::Variant#url, or ActiveStorage::Preview#url so the disk service can
+# generate URLs using the same host, protocol, and base path as the current request.
+module ActiveStorage::SetCurrent
+  extend ActiveSupport::Concern
+
+  included do
+    before_action do
+      ActiveStorage::Current.host = request.base_url
+    end
+  end
+end

data/app/controllers/concerns/active_storage/set_headers.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module ActiveStorage::SetHeaders #:nodoc:
+  extend ActiveSupport::Concern
+
+  private
+    def set_content_headers_from(blob)
+      response.headers["Content-Type"] = blob.content_type_for_serving
+      response.headers["Content-Disposition"] = ActionDispatch::Http::ContentDisposition.format \
+        disposition: blob.forced_disposition_for_serving || params[:disposition] || "inline", filename: blob.filename.sanitized
+    end
+end

data/app/javascript/activestorage/blob_record.js

@@ -6,7 +6,7 @@ export class BlobRecord {
 
     this.attributes = {
       filename: file.name,
-      content_type: file.type,
+      content_type: file.type || "application/octet-stream",
       byte_size: file.size,
       checksum: checksum
     }
@@ -17,7 +17,12 @@ export class BlobRecord {
     this.xhr.setRequestHeader("Content-Type", "application/json")
     this.xhr.setRequestHeader("Accept", "application/json")
     this.xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest")
-    this.xhr.setRequestHeader("X-CSRF-Token", getMetaValue("csrf-token"))
+
+    const csrfToken = getMetaValue("csrf-token")
+    if (csrfToken != undefined) {
+      this.xhr.setRequestHeader("X-CSRF-Token", csrfToken)
+    }
+
     this.xhr.addEventListener("load", event => this.requestDidLoad(event))
     this.xhr.addEventListener("error", event => this.requestDidError(event))
   }

data/app/jobs/active_storage/analyze_job.rb

@@ -2,6 +2,11 @@
 
 # Provides asynchronous analysis of ActiveStorage::Blob records via ActiveStorage::Blob#analyze_later.
 class ActiveStorage::AnalyzeJob < ActiveStorage::BaseJob
+  queue_as { ActiveStorage.queues[:analysis] }
+
+  discard_on ActiveRecord::RecordNotFound
+  retry_on ActiveStorage::IntegrityError, attempts: 10, wait: :exponentially_longer
+
   def perform(blob)
     blob.analyze
   end

data/app/jobs/active_storage/base_job.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
 
 class ActiveStorage::BaseJob < ActiveJob::Base
-  queue_as { ActiveStorage.queue }
 end

data/app/jobs/active_storage/mirror_job.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/try"
+
+# Provides asynchronous mirroring of directly-uploaded blobs.
+class ActiveStorage::MirrorJob < ActiveStorage::BaseJob
+  queue_as { ActiveStorage.queues[:mirror] }
+
+  discard_on ActiveStorage::FileNotFoundError
+  retry_on ActiveStorage::IntegrityError, attempts: 10, wait: :exponentially_longer
+
+  def perform(key, checksum:)
+    ActiveStorage::Blob.service.try(:mirror, key, checksum: checksum)
+  end
+end

data/app/jobs/active_storage/purge_job.rb

@@ -2,7 +2,10 @@
 
 # Provides asynchronous purging of ActiveStorage::Blob records via ActiveStorage::Blob#purge_later.
 class ActiveStorage::PurgeJob < ActiveStorage::BaseJob
+  queue_as { ActiveStorage.queues[:purge] }
+
   discard_on ActiveRecord::RecordNotFound
+  retry_on ActiveRecord::Deadlocked, attempts: 10, wait: :exponentially_longer
 
   def perform(blob)
     blob.purge

data/app/models/active_storage/attachment.rb

@@ -3,37 +3,56 @@
 require "active_support/core_ext/module/delegation"
 
 # Attachments associate records with blobs. Usually that's a one record-many blobs relationship,
-# but it is possible to associate many different records with the same blob. If you're doing that,
-# you'll want to declare with <tt>has_one/many_attached :thingy, dependent: false</tt>, so that destroying
-# any one record won't destroy the blob as well. (Then you'll need to do your own garbage collecting, though).
-class ActiveStorage::Attachment < ActiveRecord::Base
+# but it is possible to associate many different records with the same blob. A foreign-key constraint
+# on the attachments table prevents blobs from being purged if they’re still attached to any records.
+#
+# Attachments also have access to all methods from {ActiveStorage::Blob}[rdoc-ref:ActiveStorage::Blob].
+class ActiveStorage::Attachment < ActiveStorage::Record
   self.table_name = "active_storage_attachments"
 
   belongs_to :record, polymorphic: true, touch: true
-  belongs_to :blob, class_name: "ActiveStorage::Blob"
+  belongs_to :blob, class_name: "ActiveStorage::Blob", autosave: true
 
   delegate_missing_to :blob
+  delegate :signed_id, to: :blob
 
-  after_create_commit :analyze_blob_later, :identify_blob
+  after_create_commit :mirror_blob_later, :analyze_blob_later
+  after_destroy_commit :purge_dependent_blob_later
 
-  # Synchronously purges the blob (deletes it from the configured service) and destroys the attachment.
+  # Synchronously deletes the attachment and {purges the blob}[rdoc-ref:ActiveStorage::Blob#purge].
   def purge
-    destroy
-    blob.purge
+    transaction do
+      delete
+      record&.touch
+    end
+    blob&.purge
   end
 
-  # Destroys the attachment and asynchronously purges the blob (deletes it from the configured service).
+  # Deletes the attachment and {enqueues a background job}[rdoc-ref:ActiveStorage::Blob#purge_later] to purge the blob.
   def purge_later
-    destroy
-    blob.purge_later
+    transaction do
+      delete
+      record&.touch
+    end
+    blob&.purge_later
   end
 
   private
-    def identify_blob
-      blob.identify
-    end
-
     def analyze_blob_later
       blob.analyze_later unless blob.analyzed?
     end
+
+    def mirror_blob_later
+      blob.mirror_later
+    end
+
+    def purge_dependent_blob_later
+      blob&.purge_later if dependent == :purge_later
+    end
+
+    def dependent
+      record.attachment_reflections[name]&.options[:dependent]
+    end
 end
+
+ActiveSupport.run_load_hooks :active_storage_attachment, ActiveStorage::Attachment

data/app/models/active_storage/blob.rb

@@ -3,8 +3,9 @@
 # A blob is a record that contains the metadata about a file and a key for where that file resides on the service.
 # Blobs can be created in two ways:
 #
-# 1. Subsequent to the file being uploaded server-side to the service via <tt>create_after_upload!</tt>.
-# 2. Ahead of the file being directly uploaded client-side to the service via <tt>create_before_direct_upload!</tt>.
+# 1. Ahead of the file being uploaded server-side to the service, via <tt>create_and_upload!</tt>. A rewindable
+#    <tt>io</tt> with the file contents must be available at the server for this operation.
+# 2. Ahead of the file being directly uploaded client-side to the service, via <tt>create_before_direct_upload!</tt>.
 #
 # The first option doesn't require any client-side JavaScript integration, and can be used by any other back-end
 # service that deals with files. The second option is faster, since you're not using your own server as a staging
@@ -13,80 +14,146 @@
 # Blobs are intended to be immutable in as-so-far as their reference to a specific file goes. You're allowed to
 # update a blob's metadata on a subsequent pass, but you should not update the key or change the uploaded file.
 # If you need to create a derivative or otherwise change the blob, simply create a new blob and purge the old one.
-class ActiveStorage::Blob < ActiveRecord::Base
-  require_dependency "active_storage/blob/analyzable"
-  require_dependency "active_storage/blob/identifiable"
-  require_dependency "active_storage/blob/representable"
-
-  include Analyzable
-  include Identifiable
-  include Representable
+class ActiveStorage::Blob < ActiveStorage::Record
+  # We use constant paths in the following include calls to avoid a gotcha of
+  # classic mode: If the parent application defines a top-level Analyzable, for
+  # example, and ActiveStorage::Blob::Analyzable is not yet loaded, a bare
+  #
+  #   include Analyzable
+  #
+  # would resolve to the top-level one, const_missing would not be triggered,
+  # and therefore ActiveStorage::Blob::Analyzable would not be autoloaded.
+  #
+  # By using qualified names, we ensure const_missing is invoked if needed.
+  # Please, note that Ruby 2.5 or newer is required, so Object is not checked
+  # when looking up the ancestors of ActiveStorage::Blob.
+  #
+  # Zeitwerk mode does not have this gotcha. If we ever drop classic mode, this
+  # can be simplified, bare constant names would just work.
+  include ActiveStorage::Blob::Analyzable
+  include ActiveStorage::Blob::Identifiable
+  include ActiveStorage::Blob::Representable
 
   self.table_name = "active_storage_blobs"
 
-  has_secure_token :key
+  MINIMUM_TOKEN_LENGTH = 28
+
+  has_secure_token :key, length: MINIMUM_TOKEN_LENGTH
   store :metadata, accessors: [ :analyzed, :identified ], coder: ActiveRecord::Coders::JSON
 
-  class_attribute :service
+  class_attribute :services, default: {}
+  class_attribute :service, instance_accessor: false
 
   has_many :attachments
 
-  scope :unattached, -> { left_joins(:attachments).where(ActiveStorage::Attachment.table_name => { blob_id: nil }) }
+  scope :unattached, -> { where.missing(:attachments) }
+
+  after_initialize do
+    self.service_name ||= self.class.service.name
+  end
+
+  after_update_commit :update_service_metadata, if: :content_type_previously_changed?
 
   before_destroy(prepend: true) do
     raise ActiveRecord::InvalidForeignKey if attachments.exists?
   end
 
+  validates :service_name, presence: true
+
+  validate do
+    if service_name_changed? && service_name.present?
+      services.fetch(service_name) do
+        errors.add(:service_name, :invalid)
+      end
+    end
+  end
+
   class << self
-    # You can used the signed ID of a blob to refer to it on the client side without fear of tampering.
+    # You can use the signed ID of a blob to refer to it on the client side without fear of tampering.
     # This is particularly helpful for direct uploads where the client-side needs to refer to the blob
     # that was created ahead of the upload itself on form submission.
     #
     # The signed ID is also used to create stable URLs for the blob through the BlobsController.
-    def find_signed(id)
-      find ActiveStorage.verifier.verify(id, purpose: :blob_id)
+    def find_signed!(id, record: nil)
+      super(id, purpose: :blob_id)
     end
 
-    # Returns a new, unsaved blob instance after the +io+ has been uploaded to the service.
-    def build_after_upload(io:, filename:, content_type: nil, metadata: nil)
-      new.tap do |blob|
-        blob.filename     = filename
-        blob.content_type = content_type
-        blob.metadata     = metadata
+    def build_after_upload(io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+      new(filename: filename, content_type: content_type, metadata: metadata, service_name: service_name).tap do |blob|
+        blob.upload(io, identify: identify)
+      end
+    end
 
-        blob.upload io
+    deprecate :build_after_upload
+
+    def build_after_unfurling(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+      new(key: key, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name).tap do |blob|
+        blob.unfurl(io, identify: identify)
       end
     end
 
-    # Returns a saved blob instance after the +io+ has been uploaded to the service. Note, the blob is first built,
-    # then the +io+ is uploaded, then the blob is saved. This is done this way to avoid uploading (which may take
-    # time), while having an open database transaction.
-    def create_after_upload!(io:, filename:, content_type: nil, metadata: nil)
-      build_after_upload(io: io, filename: filename, content_type: content_type, metadata: metadata).tap(&:save!)
+    def create_after_unfurling!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+      build_after_unfurling(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify).tap(&:save!)
     end
 
+    # Creates a new blob instance and then uploads the contents of
+    # the given <tt>io</tt> to the service. The blob instance is going to
+    # be saved before the upload begins to prevent the upload clobbering another due to key collisions.
+    # When providing a content type, pass <tt>identify: false</tt> to bypass
+    # automatic content type inference.
+    def create_and_upload!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil)
+      create_after_unfurling!(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify).tap do |blob|
+        blob.upload_without_unfurling(io)
+      end
+    end
+
+    alias_method :create_after_upload!, :create_and_upload!
+    deprecate create_after_upload!: :create_and_upload!
+
     # Returns a saved blob _without_ uploading a file to the service. This blob will point to a key where there is
     # no file yet. It's intended to be used together with a client-side upload, which will first create the blob
     # in order to produce the signed URL for uploading. This signed URL points to the key generated by the blob.
     # Once the form using the direct upload is submitted, the blob can be associated with the right record using
     # the signed ID.
-    def create_before_direct_upload!(filename:, byte_size:, checksum:, content_type: nil, metadata: nil)
-      create! filename: filename, byte_size: byte_size, checksum: checksum, content_type: content_type, metadata: metadata
+    def create_before_direct_upload!(key: nil, filename:, byte_size:, checksum:, content_type: nil, metadata: nil, service_name: nil, record: nil)
+      create! key: key, filename: filename, byte_size: byte_size, checksum: checksum, content_type: content_type, metadata: metadata, service_name: service_name
+    end
+
+    # To prevent problems with case-insensitive filesystems, especially in combination
+    # with databases which treat indices as case-sensitive, all blob keys generated are going
+    # to only contain the base-36 character alphabet and will therefore be lowercase. To maintain
+    # the same or higher amount of entropy as in the base-58 encoding used by `has_secure_token`
+    # the number of bytes used is increased to 28 from the standard 24
+    def generate_unique_secure_token(length: MINIMUM_TOKEN_LENGTH)
+      SecureRandom.base36(length)
+    end
+
+    # Customize signed ID purposes for backwards compatibility.
+    def combine_signed_id_purposes(purpose) #:nodoc:
+      purpose.to_s
+    end
+
+    # Customize the default signed ID verifier for backwards compatibility.
+    #
+    # We override the reader (.signed_id_verifier) instead of just calling the writer (.signed_id_verifier=)
+    # to guard against the case where ActiveStorage.verifier isn't yet initialized at load time.
+    def signed_id_verifier #:nodoc:
+      @signed_id_verifier ||= ActiveStorage.verifier
     end
   end
 
   # Returns a signed ID for this blob that's suitable for reference on the client-side without fear of tampering.
-  # It uses the framework-wide verifier on <tt>ActiveStorage.verifier</tt>, but with a dedicated purpose.
   def signed_id
-    ActiveStorage.verifier.generate(id, purpose: :blob_id)
+    super(purpose: :blob_id)
   end
 
-  # Returns the key pointing to the file on the service that's associated with this blob. The key is in the
-  # standard secure-token format from Rails. So it'll look like: XTAPjJCJiuDrLk3TmwyJGpUo. This key is not intended
-  # to be revealed directly to the user. Always refer to blobs using the signed_id or a verified form of the key.
+  # Returns the key pointing to the file on the service that's associated with this blob. The key is the
+  # secure-token format from Rails in lower case. So it'll look like: xtapjjcjiudrlk3tmwyjgpuobabd.
+  # This key is not intended to be revealed directly to the user.
+  # Always refer to blobs using the signed_id or a verified form of the key.
   def key
     # We can't wait until the record is first saved to have a key for it
-    self[:key] ||= self.class.generate_unique_secure_token
+    self[:key] ||= self.class.generate_unique_secure_token(length: MINIMUM_TOKEN_LENGTH)
   end
 
   # Returns an ActiveStorage::Filename instance of the filename that can be
@@ -116,21 +183,21 @@ class ActiveStorage::Blob < ActiveRecord::Base
     content_type.start_with?("text")
   end
 
-
-  # Returns the URL of the blob on the service. This URL is intended to be short-lived for security and not used directly
-  # with users. Instead, the +service_url+ should only be exposed as a redirect from a stable, possibly authenticated URL.
-  # Hiding the +service_url+ behind a redirect also gives you the power to change services without updating all URLs. And
-  # it allows permanent URLs that redirect to the +service_url+ to be cached in the view.
-  def service_url(expires_in: service.url_expires_in, disposition: :inline, filename: nil, **options)
-    filename = ActiveStorage::Filename.wrap(filename || self.filename)
-
-    service.url key, expires_in: expires_in, filename: filename, content_type: content_type_for_service_url,
-      disposition: forced_disposition_for_service_url || disposition, **options
+  # Returns the URL of the blob on the service. This returns a permanent URL for public files, and returns a
+  # short-lived URL for private files. Private files are signed, and not for public use. Instead,
+  # the URL should only be exposed as a redirect from a stable, possibly authenticated URL. Hiding the
+  # URL behind a redirect also allows you to change services without updating all URLs.
+  def url(expires_in: ActiveStorage.service_urls_expire_in, disposition: :inline, filename: nil, **options)
+    service.url key, expires_in: expires_in, filename: ActiveStorage::Filename.wrap(filename || self.filename),
+      content_type: content_type_for_serving, disposition: forced_disposition_for_serving || disposition, **options
   end
 
+  alias_method :service_url, :url
+  deprecate service_url: :url
+
   # Returns a URL that can be used to directly upload a file for this blob on the service. This URL is intended to be
   # short-lived for security and only generated on-demand by the client-side JavaScript responsible for doing the uploading.
-  def service_url_for_direct_upload(expires_in: service.url_expires_in)
+  def service_url_for_direct_upload(expires_in: ActiveStorage.service_urls_expire_in)
     service.url_for_direct_upload key, expires_in: expires_in, content_type: content_type, content_length: byte_size, checksum: checksum
   end
 
@@ -139,6 +206,16 @@ class ActiveStorage::Blob < ActiveRecord::Base
     service.headers_for_direct_upload key, filename: filename, content_type: content_type, content_length: byte_size, checksum: checksum
   end
 
+  def content_type_for_serving #:nodoc:
+    forcibly_serve_as_binary? ? ActiveStorage.binary_content_type : content_type
+  end
+
+  def forced_disposition_for_serving #:nodoc:
+    if forcibly_serve_as_binary? || !allowed_inline?
+      :attachment
+    end
+  end
+
 
   # Uploads the +io+ to the service on the +key+ for this blob. Blobs are intended to be immutable, so you shouldn't be
   # using this method after a file has already been uploaded to fit with a blob. If you want to create a derivative blob,
@@ -146,16 +223,25 @@ class ActiveStorage::Blob < ActiveRecord::Base
   #
   # Prior to uploading, we compute the checksum, which is sent to the service for transit integrity validation. If the
   # checksum does not match what the service receives, an exception will be raised. We also measure the size of the +io+
-  # and store that in +byte_size+ on the blob record.
+  # and store that in +byte_size+ on the blob record. The content type is automatically extracted from the +io+ unless
+  # you specify a +content_type+ and pass +identify+ as false.
   #
-  # Normally, you do not have to call this method directly at all. Use the factory class methods of +build_after_upload+
-  # and +create_after_upload!+.
-  def upload(io)
+  # Normally, you do not have to call this method directly at all. Use the +create_and_upload!+ class method instead.
+  # If you do use this method directly, make sure you are using it on a persisted Blob as otherwise another blob's
+  # data might get overwritten on the service.
+  def upload(io, identify: true)
+    unfurl io, identify: identify
+    upload_without_unfurling io
+  end
+
+  def unfurl(io, identify: true) #:nodoc:
     self.checksum     = compute_checksum_in_chunks(io)
-    self.content_type = extract_content_type(io)
+    self.content_type = extract_content_type(io) if content_type.nil? || identify
     self.byte_size    = io.size
     self.identified   = true
+  end
 
+  def upload_without_unfurling(io) #:nodoc:
     service.upload key, io, checksum: checksum, **service_metadata
   end
 
@@ -165,30 +251,56 @@ class ActiveStorage::Blob < ActiveRecord::Base
     service.download key, &block
   end
 
+  # Downloads the blob to a tempfile on disk. Yields the tempfile.
+  #
+  # The tempfile's name is prefixed with +ActiveStorage-+ and the blob's ID. Its extension matches that of the blob.
+  #
+  # By default, the tempfile is created in <tt>Dir.tmpdir</tt>. Pass +tmpdir:+ to create it in a different directory:
+  #
+  #   blob.open(tmpdir: "/path/to/tmp") do |file|
+  #     # ...
+  #   end
+  #
+  # The tempfile is automatically closed and unlinked after the given block is executed.
+  #
+  # Raises ActiveStorage::IntegrityError if the downloaded data does not match the blob's checksum.
+  def open(tmpdir: nil, &block)
+    service.open key, checksum: checksum,
+      name: [ "ActiveStorage-#{id}-", filename.extension_with_delimiter ], tmpdir: tmpdir, &block
+  end
 
-  # Deletes the file on the service that's associated with this blob. This should only be done if the blob is going to be
-  # deleted as well or you will essentially have a dead reference. It's recommended to use the +#purge+ and +#purge_later+
+  def mirror_later #:nodoc:
+    ActiveStorage::MirrorJob.perform_later(key, checksum: checksum) if service.respond_to?(:mirror)
+  end
+
+  # Deletes the files on the service associated with the blob. This should only be done if the blob is going to be
+  # deleted as well or you will essentially have a dead reference. It's recommended to use #purge and #purge_later
   # methods in most circumstances.
   def delete
     service.delete(key)
     service.delete_prefixed("variants/#{key}/") if image?
   end
 
-  # Deletes the file on the service and then destroys the blob record. This is the recommended way to dispose of unwanted
-  # blobs. Note, though, that deleting the file off the service will initiate a HTTP connection to the service, which may
-  # be slow or prevented, so you should not use this method inside a transaction or in callbacks. Use +#purge_later+ instead.
+  # Destroys the blob record and then deletes the file on the service. This is the recommended way to dispose of unwanted
+  # blobs. Note, though, that deleting the file off the service will initiate an HTTP connection to the service, which may
+  # be slow or prevented, so you should not use this method inside a transaction or in callbacks. Use #purge_later instead.
   def purge
     destroy
     delete
   rescue ActiveRecord::InvalidForeignKey
   end
 
-  # Enqueues an ActiveStorage::PurgeJob job that'll call +purge+. This is the recommended way to purge blobs when the call
-  # needs to be made from a transaction, a callback, or any other real-time scenario.
+  # Enqueues an ActiveStorage::PurgeJob to call #purge. This is the recommended way to purge blobs from a transaction,
+  # an Active Record callback, or in any other real-time scenario.
   def purge_later
     ActiveStorage::PurgeJob.perform_later(self)
   end
 
+  # Returns an instance of service, which can be configured globally or per attachment
+  def service
+    services.fetch(service_name)
+  end
+
   private
     def compute_checksum_in_chunks(io)
       Digest::MD5.new.tap do |checksum|
@@ -212,14 +324,8 @@ class ActiveStorage::Blob < ActiveRecord::Base
       ActiveStorage.content_types_allowed_inline.include?(content_type)
     end
 
-    def content_type_for_service_url
-      forcibly_serve_as_binary? ? ActiveStorage.binary_content_type : content_type
-    end
-
-    def forced_disposition_for_service_url
-      if forcibly_serve_as_binary? || !allowed_inline?
-        :attachment
-      end
+    def web_image?
+      ActiveStorage.web_image_content_types.include?(content_type)
     end
 
     def service_metadata
@@ -232,5 +338,9 @@ class ActiveStorage::Blob < ActiveRecord::Base
       end
     end
 
-    ActiveSupport.run_load_hooks(:active_storage_blob, self)
+    def update_service_metadata
+      service.update_metadata key, **service_metadata if service_metadata.any?
+    end
 end
+
+ActiveSupport.run_load_hooks :active_storage_blob, ActiveStorage::Blob