@crowi/plugin-storage-aws-s3 0.1.0-alpha.0

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Sotaro KARASAWA <sotaro.k@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,144 @@
+# @crowi/plugin-storage-aws-s3
+
+AWS S3 storage driver for Crowi 2.0. Stores page attachments and profile
+pictures in an S3 bucket. Pairs with [`@crowi/plugin-aws`](../plugin-aws)
+for shared region / access-key configuration.
+
+## Install
+
+```bash
+crowi-admin plugin add @crowi/plugin-storage-aws-s3
+```
+
+(or, in dev: `pnpm --filter @crowi/api add -D @crowi/plugin-storage-aws-s3`)
+
+The plugin auto-loads its dependency `@crowi/plugin-aws`. You don't need
+to add it explicitly.
+
+## Configure
+
+### 1. Activate the driver in `crowi.config.json`
+
+```jsonc
+{
+  "plugins": ["@crowi/plugin-storage-aws-s3"],
+  "storage": { "driver": "s3" }
+}
+```
+
+A server restart is required when `storage.driver` changes — Crowi reads
+this file once at boot.
+
+### 2. Fill in credentials in the admin UI
+
+Open `/admin/plugins`:
+
+- **`@crowi/plugin-aws`** — `region`, `accessKeyId`, `secretAccessKey`
+  (the secret is encrypted at rest with `CROWI_ENCRYPTION_KEY`)
+- **`@crowi/plugin-storage-aws-s3`** — `bucket`
+
+Leaving `accessKeyId` and `secretAccessKey` blank tells the SDK to use
+its [default credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain)
+(env vars, shared credentials file, EC2 instance role, ECS task role,
+EKS pod identity, etc). This is the recommended setup when running on
+AWS — let the platform vend short-lived credentials, don't store
+long-lived keys in Mongo.
+
+### 3. Migrate existing files (if switching from `local`)
+
+```bash
+crowi-admin storage copy --from local --to s3 --dry-run    # preview
+crowi-admin storage copy --from local --to s3              # actual copy
+```
+
+The CLI walks the `Attachment` collection and `User.image` URLs, copying
+every key from one driver to the other. Failures are logged and skipped;
+re-running is safe (S3 `PutObject` is overwrite-by-key).
+
+## Required IAM permissions
+
+Three S3 operations are called by the driver: `PutObject`, `GetObject`,
+`DeleteObject`. Signed URLs are produced locally with the SDK presigner,
+which signs a `GetObjectCommand` — so the **client** consuming the signed
+URL needs `GetObject` (which the driver's IAM principal already has).
+`ListBucket` is **not** needed.
+
+A minimal IAM policy you can attach to the IAM user / role Crowi runs as:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "CrowiStorageObjects",
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject"
+      ],
+      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
+    }
+  ]
+}
+```
+
+The same policy is shipped at [`examples/iam-policy.json`](examples/iam-policy.json)
+so you can apply it directly:
+
+```bash
+aws iam create-policy \
+  --policy-name CrowiStorage \
+  --policy-document file://examples/iam-policy.json
+```
+
+A variant with `s3:ListBucket` enabled is at
+[`examples/iam-policy-with-list.json`](examples/iam-policy-with-list.json) —
+not needed today, but reserved for a future `crowi-admin storage list` /
+`storage diff` command that would enumerate keys server-side.
+
+## What does NOT need to be configured
+
+- **Bucket policy** — IAM policy is enough for normal single-account
+  setups. Use a bucket policy only if you need cross-account access,
+  SSE enforcement, or public-read overrides — Crowi neither requires
+  nor opposes those, but they're environment-specific and out of scope
+  for this plugin's docs.
+- **CORS** — Crowi serves signed URLs directly via `<img>` / download
+  links, which are simple `GET` requests with no preflight. CORS rules
+  on the bucket are unnecessary unless you add a future feature that
+  uploads from the browser straight to S3 (presigned `PUT`).
+- **SSE-S3** — works out of the box if the bucket has default
+  encryption enabled. The driver does not set `ServerSideEncryption`
+  explicitly; let the bucket's default policy decide.
+
+## Object layout
+
+The driver passes storage keys through to S3 verbatim. The keys Crowi
+uses are:
+
+```
+attachment/<pageId>/<fileId>/<original-filename>
+user/<userId>.<ext>
+```
+
+This matches the v1.x layout, so operators upgrading from Crowi 1.x can
+point `bucket` at their existing bucket and files round-trip without
+migration.
+
+## Troubleshooting
+
+| Symptom | Likely cause |
+|---|---|
+| `bucket=<unset>` in the boot log | Set `bucket` under `/admin/plugins` for `@crowi/plugin-storage-aws-s3`. |
+| `region=<default>` in the boot log | Set `region` under `/admin/plugins` for `@crowi/plugin-aws` (e.g. `ap-northeast-1`). |
+| `403 Forbidden` on PUT | Check the IAM policy — `s3:PutObject` against `arn:aws:s3:::<bucket>/*`. |
+| `403 Forbidden` on GET via signed URL | Same; the signing principal needs `s3:GetObject`. |
+| `301 PermanentRedirect` | `region` mismatch. The bucket lives in a different region than the SDK is configured to talk to. |
+| Long-lived secret keys committed somewhere | Don't. Use IAM roles on EC2 / ECS / EKS, leave `accessKeyId` blank. |
+
+## See also
+
+- [`@crowi/plugin-aws`](../plugin-aws) — shared AWS credential plugin (auto-loaded as a dependency).
+- [`@crowi/plugin-storage-local`](../plugin-storage-local) — the default-on local filesystem driver.
+- RFC-0001 §"Storage (S3)" for the migration story from Crowi 1.x.

package/dist/index.d.mts

@@ -0,0 +1,18 @@
+import { S3Client } from '@aws-sdk/client-s3';
+import { StorageDriver, CrowiPlugin } from '@crowi/plugin-api';
+
+interface S3DriverState {
+    client: S3Client;
+    bucket: string;
+}
+declare const plugin: CrowiPlugin;
+
+/**
+ * Build the storage driver. Methods read `driverState` *once at the
+ * top* — a snapshot — so a `reconfigure` running concurrently with an
+ * inflight `put` / `get` cannot swap the client mid-call. The next
+ * call sees the new client/bucket.
+ */
+declare function createS3Driver(driverState: S3DriverState): StorageDriver;
+
+export { type S3DriverState, createS3Driver, plugin as default };

package/dist/index.d.ts

@@ -0,0 +1,18 @@
+import { S3Client } from '@aws-sdk/client-s3';
+import { StorageDriver, CrowiPlugin } from '@crowi/plugin-api';
+
+interface S3DriverState {
+    client: S3Client;
+    bucket: string;
+}
+declare const plugin: CrowiPlugin;
+
+/**
+ * Build the storage driver. Methods read `driverState` *once at the
+ * top* — a snapshot — so a `reconfigure` running concurrently with an
+ * inflight `put` / `get` cannot swap the client mid-call. The next
+ * call sees the new client/bucket.
+ */
+declare function createS3Driver(driverState: S3DriverState): StorageDriver;
+
+export { type S3DriverState, createS3Driver, plugin as default };

package/dist/index.js

@@ -0,0 +1,116 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  createS3Driver: () => createS3Driver,
+  default: () => index_default
+});
+module.exports = __toCommonJS(index_exports);
+var import_v3 = require("zod/v3");
+var import_client_s3 = require("@aws-sdk/client-s3");
+var import_s3_request_presigner = require("@aws-sdk/s3-request-presigner");
+var S3StorageConfigSchema = import_v3.z.object({
+  bucket: import_v3.z.string().default("")
+}).strict();
+var state = {
+  client: new import_client_s3.S3Client({}),
+  bucket: ""
+};
+var plugin = {
+  name: "@crowi/plugin-storage-aws-s3",
+  version: "0.1.0-dev",
+  requires: ["@crowi/plugin-aws"],
+  configSchema: S3StorageConfigSchema,
+  adminPlacement: {
+    label: "AWS S3",
+    icon: "cloud"
+    // section omitted: derived from registerStorage → 'storage'
+  },
+  registerStorage: (registry, ctx) => {
+    applyConfigToState(ctx, state);
+    registry.register("s3", createS3Driver(state));
+    ctx.log.debug("registered s3 storage driver (bucket=%s)", state.bucket || "<unset>");
+  },
+  reconfigure: (ctx) => {
+    applyConfigToState(ctx, state);
+    ctx.log.debug("reconfigured s3 storage driver (bucket=%s)", state.bucket || "<unset>");
+  }
+};
+var index_default = plugin;
+function applyConfigToState(ctx, target) {
+  const own = ctx.config();
+  const aws = ctx.dependencyConfig("@crowi/plugin-aws");
+  target.client = new import_client_s3.S3Client({
+    region: aws.region || void 0,
+    credentials: aws.accessKeyId && aws.secretAccessKey ? {
+      accessKeyId: aws.accessKeyId,
+      secretAccessKey: aws.secretAccessKey
+    } : void 0
+  });
+  target.bucket = own.bucket;
+}
+function createS3Driver(driverState) {
+  return {
+    async put(key, body, meta) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      await client.send(
+        new import_client_s3.PutObjectCommand({
+          Bucket: bucket,
+          Key: key,
+          Body: body,
+          ContentType: meta.contentType
+        })
+      );
+      return { key };
+    },
+    async get(key) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      const response = await client.send(new import_client_s3.GetObjectCommand({ Bucket: bucket, Key: key }));
+      const body = response.Body;
+      if (!body) {
+        throw new Error(`S3 returned empty body for key '${key}'`);
+      }
+      return body;
+    },
+    async delete(key) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      await client.send(new import_client_s3.DeleteObjectCommand({ Bucket: bucket, Key: key }));
+    },
+    async signedUrl(key, expiresInSec) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      return (0, import_s3_request_presigner.getSignedUrl)(client, new import_client_s3.GetObjectCommand({ Bucket: bucket, Key: key }), { expiresIn: expiresInSec });
+    }
+  };
+}
+function requireBucket(bucket) {
+  if (!bucket) {
+    throw new Error("@crowi/plugin-storage-aws-s3: bucket is not configured.");
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createS3Driver
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { Readable } from 'node:stream';\nimport { z } from 'zod/v3';\nimport { DeleteObjectCommand, GetObjectCommand, PutObjectCommand, S3Client } from '@aws-sdk/client-s3';\nimport { getSignedUrl } from '@aws-sdk/s3-request-presigner';\nimport type { AwsConfig } from '@crowi/plugin-aws';\nimport type { CrowiPlugin, PluginContext, StorageDriver } from '@crowi/plugin-api';\n\nconst S3StorageConfigSchema = z\n  .object({\n    bucket: z.string().default(''),\n  })\n  .strict();\n\ntype S3StorageConfig = z.infer<typeof S3StorageConfigSchema>;\n\nexport interface S3DriverState {\n  client: S3Client;\n  bucket: string;\n}\n\n/**\n * Module-scope state ref. `registerStorage` initialises it from the\n * boot-time config; the driver methods snapshot from it on every call;\n * `reconfigure` mutates its fields in place when admin saves new\n * values. The single-instance assumption is fine — the plugin\n * registers exactly one `'s3'` driver, owned by this module.\n */\nconst state: S3DriverState = {\n  client: new S3Client({}),\n  bucket: '',\n};\n\nconst plugin: CrowiPlugin = {\n  name: '@crowi/plugin-storage-aws-s3',\n  version: '0.1.0-dev',\n  requires: ['@crowi/plugin-aws'],\n  configSchema: S3StorageConfigSchema,\n  adminPlacement: {\n    label: 'AWS S3',\n    icon: 'cloud',\n    // section omitted: derived from registerStorage → 'storage'\n  },\n\n  registerStorage: (registry, ctx) => {\n    applyConfigToState(ctx, state);\n    registry.register('s3', createS3Driver(state));\n    ctx.log.debug('registered s3 storage driver (bucket=%s)', state.bucket || '<unset>');\n  },\n\n  reconfigure: (ctx) => {\n    applyConfigToState(ctx, state);\n    ctx.log.debug('reconfigured s3 storage driver (bucket=%s)', state.bucket || '<unset>');\n  },\n};\n\nexport default plugin;\n\nfunction applyConfigToState(ctx: PluginContext, target: S3DriverState): void {\n  const own = ctx.config<S3StorageConfig>();\n  const aws = ctx.dependencyConfig<AwsConfig>('@crowi/plugin-aws');\n  target.client = new S3Client({\n    region: aws.region || undefined,\n    credentials:\n      aws.accessKeyId && aws.secretAccessKey\n        ? {\n            accessKeyId: aws.accessKeyId,\n            secretAccessKey: aws.secretAccessKey,\n          }\n        : undefined,\n  });\n  target.bucket = own.bucket;\n}\n\n/**\n * Build the storage driver. Methods read `driverState` *once at the\n * top* — a snapshot — so a `reconfigure` running concurrently with an\n * inflight `put` / `get` cannot swap the client mid-call. The next\n * call sees the new client/bucket.\n */\nexport function createS3Driver(driverState: S3DriverState): StorageDriver {\n  return {\n    async put(key, body, meta) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      await client.send(\n        new PutObjectCommand({\n          Bucket: bucket,\n          Key: key,\n          Body: body as Buffer | Readable,\n          ContentType: meta.contentType,\n        }),\n      );\n      return { key };\n    },\n\n    async get(key) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      const response = await client.send(new GetObjectCommand({ Bucket: bucket, Key: key }));\n      const body = response.Body;\n      if (!body) {\n        throw new Error(`S3 returned empty body for key '${key}'`);\n      }\n      return body as Readable;\n    },\n\n    async delete(key) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      await client.send(new DeleteObjectCommand({ Bucket: bucket, Key: key }));\n    },\n\n    async signedUrl(key, expiresInSec) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      return getSignedUrl(client, new GetObjectCommand({ Bucket: bucket, Key: key }), { expiresIn: expiresInSec });\n    },\n  };\n}\n\nfunction requireBucket(bucket: string): void {\n  if (!bucket) {\n    throw new Error('@crowi/plugin-storage-aws-s3: bucket is not configured.');\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,gBAAkB;AAClB,uBAAkF;AAClF,kCAA6B;AAI7B,IAAM,wBAAwB,YAC3B,OAAO;AAAA,EACN,QAAQ,YAAE,OAAO,EAAE,QAAQ,EAAE;AAC/B,CAAC,EACA,OAAO;AAgBV,IAAM,QAAuB;AAAA,EAC3B,QAAQ,IAAI,0BAAS,CAAC,CAAC;AAAA,EACvB,QAAQ;AACV;AAEA,IAAM,SAAsB;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,UAAU,CAAC,mBAAmB;AAAA,EAC9B,cAAc;AAAA,EACd,gBAAgB;AAAA,IACd,OAAO;AAAA,IACP,MAAM;AAAA;AAAA,EAER;AAAA,EAEA,iBAAiB,CAAC,UAAU,QAAQ;AAClC,uBAAmB,KAAK,KAAK;AAC7B,aAAS,SAAS,MAAM,eAAe,KAAK,CAAC;AAC7C,QAAI,IAAI,MAAM,4CAA4C,MAAM,UAAU,SAAS;AAAA,EACrF;AAAA,EAEA,aAAa,CAAC,QAAQ;AACpB,uBAAmB,KAAK,KAAK;AAC7B,QAAI,IAAI,MAAM,8CAA8C,MAAM,UAAU,SAAS;AAAA,EACvF;AACF;AAEA,IAAO,gBAAQ;AAEf,SAAS,mBAAmB,KAAoB,QAA6B;AAC3E,QAAM,MAAM,IAAI,OAAwB;AACxC,QAAM,MAAM,IAAI,iBAA4B,mBAAmB;AAC/D,SAAO,SAAS,IAAI,0BAAS;AAAA,IAC3B,QAAQ,IAAI,UAAU;AAAA,IACtB,aACE,IAAI,eAAe,IAAI,kBACnB;AAAA,MACE,aAAa,IAAI;AAAA,MACjB,iBAAiB,IAAI;AAAA,IACvB,IACA;AAAA,EACR,CAAC;AACD,SAAO,SAAS,IAAI;AACtB;AAQO,SAAS,eAAe,aAA2C;AACxE,SAAO;AAAA,IACL,MAAM,IAAI,KAAK,MAAM,MAAM;AACzB,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,YAAM,OAAO;AAAA,QACX,IAAI,kCAAiB;AAAA,UACnB,QAAQ;AAAA,UACR,KAAK;AAAA,UACL,MAAM;AAAA,UACN,aAAa,KAAK;AAAA,QACpB,CAAC;AAAA,MACH;AACA,aAAO,EAAE,IAAI;AAAA,IACf;AAAA,IAEA,MAAM,IAAI,KAAK;AACb,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,YAAM,WAAW,MAAM,OAAO,KAAK,IAAI,kCAAiB,EAAE,QAAQ,QAAQ,KAAK,IAAI,CAAC,CAAC;AACrF,YAAM,OAAO,SAAS;AACtB,UAAI,CAAC,MAAM;AACT,cAAM,IAAI,MAAM,mCAAmC,GAAG,GAAG;AAAA,MAC3D;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,OAAO,KAAK;AAChB,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,YAAM,OAAO,KAAK,IAAI,qCAAoB,EAAE,QAAQ,QAAQ,KAAK,IAAI,CAAC,CAAC;AAAA,IACzE;AAAA,IAEA,MAAM,UAAU,KAAK,cAAc;AACjC,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,iBAAO,0CAAa,QAAQ,IAAI,kCAAiB,EAAE,QAAQ,QAAQ,KAAK,IAAI,CAAC,GAAG,EAAE,WAAW,aAAa,CAAC;AAAA,IAC7G;AAAA,EACF;AACF;AAEA,SAAS,cAAc,QAAsB;AAC3C,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,MAAM,yDAAyD;AAAA,EAC3E;AACF;","names":[]}

package/dist/index.mjs

@@ -0,0 +1,91 @@
+// src/index.ts
+import { z } from "zod/v3";
+import { DeleteObjectCommand, GetObjectCommand, PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+var S3StorageConfigSchema = z.object({
+  bucket: z.string().default("")
+}).strict();
+var state = {
+  client: new S3Client({}),
+  bucket: ""
+};
+var plugin = {
+  name: "@crowi/plugin-storage-aws-s3",
+  version: "0.1.0-dev",
+  requires: ["@crowi/plugin-aws"],
+  configSchema: S3StorageConfigSchema,
+  adminPlacement: {
+    label: "AWS S3",
+    icon: "cloud"
+    // section omitted: derived from registerStorage → 'storage'
+  },
+  registerStorage: (registry, ctx) => {
+    applyConfigToState(ctx, state);
+    registry.register("s3", createS3Driver(state));
+    ctx.log.debug("registered s3 storage driver (bucket=%s)", state.bucket || "<unset>");
+  },
+  reconfigure: (ctx) => {
+    applyConfigToState(ctx, state);
+    ctx.log.debug("reconfigured s3 storage driver (bucket=%s)", state.bucket || "<unset>");
+  }
+};
+var index_default = plugin;
+function applyConfigToState(ctx, target) {
+  const own = ctx.config();
+  const aws = ctx.dependencyConfig("@crowi/plugin-aws");
+  target.client = new S3Client({
+    region: aws.region || void 0,
+    credentials: aws.accessKeyId && aws.secretAccessKey ? {
+      accessKeyId: aws.accessKeyId,
+      secretAccessKey: aws.secretAccessKey
+    } : void 0
+  });
+  target.bucket = own.bucket;
+}
+function createS3Driver(driverState) {
+  return {
+    async put(key, body, meta) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      await client.send(
+        new PutObjectCommand({
+          Bucket: bucket,
+          Key: key,
+          Body: body,
+          ContentType: meta.contentType
+        })
+      );
+      return { key };
+    },
+    async get(key) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      const response = await client.send(new GetObjectCommand({ Bucket: bucket, Key: key }));
+      const body = response.Body;
+      if (!body) {
+        throw new Error(`S3 returned empty body for key '${key}'`);
+      }
+      return body;
+    },
+    async delete(key) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      await client.send(new DeleteObjectCommand({ Bucket: bucket, Key: key }));
+    },
+    async signedUrl(key, expiresInSec) {
+      const { client, bucket } = driverState;
+      requireBucket(bucket);
+      return getSignedUrl(client, new GetObjectCommand({ Bucket: bucket, Key: key }), { expiresIn: expiresInSec });
+    }
+  };
+}
+function requireBucket(bucket) {
+  if (!bucket) {
+    throw new Error("@crowi/plugin-storage-aws-s3: bucket is not configured.");
+  }
+}
+export {
+  createS3Driver,
+  index_default as default
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { Readable } from 'node:stream';\nimport { z } from 'zod/v3';\nimport { DeleteObjectCommand, GetObjectCommand, PutObjectCommand, S3Client } from '@aws-sdk/client-s3';\nimport { getSignedUrl } from '@aws-sdk/s3-request-presigner';\nimport type { AwsConfig } from '@crowi/plugin-aws';\nimport type { CrowiPlugin, PluginContext, StorageDriver } from '@crowi/plugin-api';\n\nconst S3StorageConfigSchema = z\n  .object({\n    bucket: z.string().default(''),\n  })\n  .strict();\n\ntype S3StorageConfig = z.infer<typeof S3StorageConfigSchema>;\n\nexport interface S3DriverState {\n  client: S3Client;\n  bucket: string;\n}\n\n/**\n * Module-scope state ref. `registerStorage` initialises it from the\n * boot-time config; the driver methods snapshot from it on every call;\n * `reconfigure` mutates its fields in place when admin saves new\n * values. The single-instance assumption is fine — the plugin\n * registers exactly one `'s3'` driver, owned by this module.\n */\nconst state: S3DriverState = {\n  client: new S3Client({}),\n  bucket: '',\n};\n\nconst plugin: CrowiPlugin = {\n  name: '@crowi/plugin-storage-aws-s3',\n  version: '0.1.0-dev',\n  requires: ['@crowi/plugin-aws'],\n  configSchema: S3StorageConfigSchema,\n  adminPlacement: {\n    label: 'AWS S3',\n    icon: 'cloud',\n    // section omitted: derived from registerStorage → 'storage'\n  },\n\n  registerStorage: (registry, ctx) => {\n    applyConfigToState(ctx, state);\n    registry.register('s3', createS3Driver(state));\n    ctx.log.debug('registered s3 storage driver (bucket=%s)', state.bucket || '<unset>');\n  },\n\n  reconfigure: (ctx) => {\n    applyConfigToState(ctx, state);\n    ctx.log.debug('reconfigured s3 storage driver (bucket=%s)', state.bucket || '<unset>');\n  },\n};\n\nexport default plugin;\n\nfunction applyConfigToState(ctx: PluginContext, target: S3DriverState): void {\n  const own = ctx.config<S3StorageConfig>();\n  const aws = ctx.dependencyConfig<AwsConfig>('@crowi/plugin-aws');\n  target.client = new S3Client({\n    region: aws.region || undefined,\n    credentials:\n      aws.accessKeyId && aws.secretAccessKey\n        ? {\n            accessKeyId: aws.accessKeyId,\n            secretAccessKey: aws.secretAccessKey,\n          }\n        : undefined,\n  });\n  target.bucket = own.bucket;\n}\n\n/**\n * Build the storage driver. Methods read `driverState` *once at the\n * top* — a snapshot — so a `reconfigure` running concurrently with an\n * inflight `put` / `get` cannot swap the client mid-call. The next\n * call sees the new client/bucket.\n */\nexport function createS3Driver(driverState: S3DriverState): StorageDriver {\n  return {\n    async put(key, body, meta) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      await client.send(\n        new PutObjectCommand({\n          Bucket: bucket,\n          Key: key,\n          Body: body as Buffer | Readable,\n          ContentType: meta.contentType,\n        }),\n      );\n      return { key };\n    },\n\n    async get(key) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      const response = await client.send(new GetObjectCommand({ Bucket: bucket, Key: key }));\n      const body = response.Body;\n      if (!body) {\n        throw new Error(`S3 returned empty body for key '${key}'`);\n      }\n      return body as Readable;\n    },\n\n    async delete(key) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      await client.send(new DeleteObjectCommand({ Bucket: bucket, Key: key }));\n    },\n\n    async signedUrl(key, expiresInSec) {\n      const { client, bucket } = driverState;\n      requireBucket(bucket);\n      return getSignedUrl(client, new GetObjectCommand({ Bucket: bucket, Key: key }), { expiresIn: expiresInSec });\n    },\n  };\n}\n\nfunction requireBucket(bucket: string): void {\n  if (!bucket) {\n    throw new Error('@crowi/plugin-storage-aws-s3: bucket is not configured.');\n  }\n}\n"],"mappings":";AACA,SAAS,SAAS;AAClB,SAAS,qBAAqB,kBAAkB,kBAAkB,gBAAgB;AAClF,SAAS,oBAAoB;AAI7B,IAAM,wBAAwB,EAC3B,OAAO;AAAA,EACN,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE;AAC/B,CAAC,EACA,OAAO;AAgBV,IAAM,QAAuB;AAAA,EAC3B,QAAQ,IAAI,SAAS,CAAC,CAAC;AAAA,EACvB,QAAQ;AACV;AAEA,IAAM,SAAsB;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,UAAU,CAAC,mBAAmB;AAAA,EAC9B,cAAc;AAAA,EACd,gBAAgB;AAAA,IACd,OAAO;AAAA,IACP,MAAM;AAAA;AAAA,EAER;AAAA,EAEA,iBAAiB,CAAC,UAAU,QAAQ;AAClC,uBAAmB,KAAK,KAAK;AAC7B,aAAS,SAAS,MAAM,eAAe,KAAK,CAAC;AAC7C,QAAI,IAAI,MAAM,4CAA4C,MAAM,UAAU,SAAS;AAAA,EACrF;AAAA,EAEA,aAAa,CAAC,QAAQ;AACpB,uBAAmB,KAAK,KAAK;AAC7B,QAAI,IAAI,MAAM,8CAA8C,MAAM,UAAU,SAAS;AAAA,EACvF;AACF;AAEA,IAAO,gBAAQ;AAEf,SAAS,mBAAmB,KAAoB,QAA6B;AAC3E,QAAM,MAAM,IAAI,OAAwB;AACxC,QAAM,MAAM,IAAI,iBAA4B,mBAAmB;AAC/D,SAAO,SAAS,IAAI,SAAS;AAAA,IAC3B,QAAQ,IAAI,UAAU;AAAA,IACtB,aACE,IAAI,eAAe,IAAI,kBACnB;AAAA,MACE,aAAa,IAAI;AAAA,MACjB,iBAAiB,IAAI;AAAA,IACvB,IACA;AAAA,EACR,CAAC;AACD,SAAO,SAAS,IAAI;AACtB;AAQO,SAAS,eAAe,aAA2C;AACxE,SAAO;AAAA,IACL,MAAM,IAAI,KAAK,MAAM,MAAM;AACzB,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,YAAM,OAAO;AAAA,QACX,IAAI,iBAAiB;AAAA,UACnB,QAAQ;AAAA,UACR,KAAK;AAAA,UACL,MAAM;AAAA,UACN,aAAa,KAAK;AAAA,QACpB,CAAC;AAAA,MACH;AACA,aAAO,EAAE,IAAI;AAAA,IACf;AAAA,IAEA,MAAM,IAAI,KAAK;AACb,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,YAAM,WAAW,MAAM,OAAO,KAAK,IAAI,iBAAiB,EAAE,QAAQ,QAAQ,KAAK,IAAI,CAAC,CAAC;AACrF,YAAM,OAAO,SAAS;AACtB,UAAI,CAAC,MAAM;AACT,cAAM,IAAI,MAAM,mCAAmC,GAAG,GAAG;AAAA,MAC3D;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,OAAO,KAAK;AAChB,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,YAAM,OAAO,KAAK,IAAI,oBAAoB,EAAE,QAAQ,QAAQ,KAAK,IAAI,CAAC,CAAC;AAAA,IACzE;AAAA,IAEA,MAAM,UAAU,KAAK,cAAc;AACjC,YAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,oBAAc,MAAM;AACpB,aAAO,aAAa,QAAQ,IAAI,iBAAiB,EAAE,QAAQ,QAAQ,KAAK,IAAI,CAAC,GAAG,EAAE,WAAW,aAAa,CAAC;AAAA,IAC7G;AAAA,EACF;AACF;AAEA,SAAS,cAAc,QAAsB;AAC3C,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,MAAM,yDAAyD;AAAA,EAC3E;AACF;","names":[]}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@crowi/plugin-storage-aws-s3",
+  "version": "0.1.0-alpha.0",
+  "description": "AWS S3 storage driver for Crowi 2.0. Depends on @crowi/plugin-aws for shared credentials.",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "zod": "^4.4.3"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.1060.0",
+    "@aws-sdk/s3-request-presigner": "^3.1060.0",
+    "@crowi/plugin-api": "^0.1.0-alpha.0",
+    "@crowi/plugin-aws": "^0.1.0-alpha.0"
+  },
+  "devDependencies": {
+    "@types/node": "^24",
+    "tsup": "^8.3.5",
+    "typescript": "^5.8.3",
+    "zod": "^4.4.3",
+    "@crowi/plugin-aws": "0.1.0-alpha.0",
+    "@crowi/tsconfig": "0.1.0-alpha.0",
+    "@crowi/plugin-api": "0.1.0-alpha.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch --no-clean",
+    "type-check": "tsc --noEmit"
+  }
+}