ep_media_upload 0.1.0 → 0.2.0

package/README.md

@@ -1,266 +1,95 @@
-# ep_media_upload – BETA: Etherpad Media Upload Plugin
+# ep_media_upload
 
-## Overview
+Etherpad plugin for secure file uploads via S3 presigned URLs.
 
-A lightweight Etherpad plugin that adds file upload capability via an S3 presigned URL workflow. Upon successful upload, a hyperlink is inserted into the document using the same format as `ep_hyperlinked_text`, making the two plugins fully compatible.
+**Requires:** `ep_hyperlinked_text`
 
----
+## How It Works
 
-## Features
+1. User clicks paperclip button → selects file
+2. Client uploads directly to S3 (server never handles file data)
+3. Hyperlink inserted into document pointing to secure download endpoint
+4. On click, Etherpad verifies access and redirects to short-lived S3 URL
 
-### Toolbar Integration
-- **Paperclip icon** button in the left editbar menu
-- Button is **hidden in read-only mode** (uses `acl-write` class)
-- Triggers native file picker dialog on click
+**S3 bucket can be completely private** – downloads go through authenticated Etherpad endpoint.
 
-### Upload Workflow
-- **Client-side presigned URL pattern** (identical to ep_images_extended)
-  1. Client requests presigned PUT URL from Etherpad server
-  2. Server generates presigned URL using AWS SDK v3 (credentials from environment variables, not settings.json)
-  3. Client uploads file directly to S3 (server never touches file)
-  4. On success, client inserts hyperlink into document
-- **No base64 or local storage options** – S3 only
-- **Scalable & secure**: Server only generates presigned URLs, no file handling
+## Configuration
 
-### File Restrictions
-- **Allowed file types**: Configurable via `settings.json` (array of extensions without dots)
-- **Maximum file size**: Configurable via `settings.json` (in bytes)
+### settings.json
 
-### Document Integration
-- On upload success, inserts a **hyperlink** into the document
-- **Link text**: Original filename (e.g., "quarterly-report.pdf")
-- **Link URL**: S3 public/CDN URL for direct download
-- **Hyperlink format**: 100% compatible with `ep_hyperlinked_text` plugin
-  - Uses `hyperlink` attribute with URL value
-  - Renders as clickable `<a>` tag with `target="_blank"`
-
-### Upload Feedback UI
-- **Progress modal** during upload:
-  - Shows "Uploading..." message
-  - Basic visual indicator (e.g., spinner or progress text)
-- **Success state**: Brief confirmation, then modal dismisses
-- **Error state**: Shows error message with dismiss button
-- Modal positioned center-screen (similar to ep_images_extended loader)
-
----
-
-## Configuration (settings.json)
-
-```jsonc
+```json
 "ep_media_upload": {
   "storage": {
-    "type": "s3_presigned",       // Only supported type
-    "region": "us-east-1",        // AWS region
-    "bucket": "my-bucket-name",   // S3 bucket name
-    "keyPrefix": "uploads/",      // Optional S3 key prefix (for CloudFront path-based routing)
-    "publicURL": "https://cdn.example.com/uploads/",  // Optional CDN URL (should include prefix if using keyPrefix)
-    "expires": 900                // Presigned URL expiry in seconds (default 600)
+    "type": "s3_presigned",
+    "region": "us-east-1",
+    "bucket": "my-bucket-name",
+    "keyPrefix": "uploads/",
+    "expires": 900,
+    "downloadExpires": 300
   },
-  "fileTypes": ["pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "mp3", "mp4", "wav", "mov", "zip", "txt"],
-  "maxFileSize": 52428800         // 50 MB in bytes
+  "fileTypes": ["pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "txt", "zip"],
+  "maxFileSize": 52428800
 }
 ```
 
-### Storage Options Explained
+### Storage Options
 
-| Option | Description |
-|--------|-------------|
-| `type` | Must be `"s3_presigned"` (only supported storage type) |
-| `region` | AWS region (e.g., `"us-east-1"`) |
-| `bucket` | S3 bucket name |
-| `keyPrefix` | Optional prefix for S3 keys (e.g., `"uploads/"` → keys become `uploads/padId/uuid.ext`) |
-| `publicURL` | Optional CDN/custom URL base. If using `keyPrefix`, include it in this URL. |
-| `expires` | Presigned URL expiry in seconds (default: 600) |
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `type` | Yes | — | Must be `"s3_presigned"` |
+| `region` | Yes | — | AWS region (e.g., `"us-east-1"`) |
+| `bucket` | Yes | — | S3 bucket name |
+| `keyPrefix` | No | `""` | Prefix for S3 keys (e.g., `"uploads/"`) |
+| `expires` | No | `600` | Upload URL expiry in seconds (10 min) |
+| `downloadExpires` | No | `300` | Download URL expiry in seconds (5 min) |
 
-**Example with CloudFront path-based routing:**
-```jsonc
-"storage": {
-  "type": "s3_presigned",
-  "region": "us-east-1",
-  "bucket": "my-bucket",
-  "keyPrefix": "uploads/",                              // S3 key: uploads/padId/uuid.pdf
-  "publicURL": "https://d123.cloudfront.net/uploads/"   // Public URL includes prefix
-}
-```
-
-### Environment Variables (AWS Credentials)
-- `AWS_ACCESS_KEY_ID`
-- `AWS_SECRET_ACCESS_KEY`
-- `AWS_SESSION_TOKEN` (optional, for temporary credentials)
+### Other Options
 
----
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `fileTypes` | No | all | Array of allowed extensions (without dots) |
+| `maxFileSize` | No | unlimited | Max file size in bytes |
 
-## File Structure
+### Environment Variables
 
 ```
-ep_media_upload/
-├── ep.json                 # Plugin manifest (hooks registration)
-├── index.js                # Server-side hooks (presign endpoint, clientVars)
-├── package.json            # NPM package definition
-├── locales/
-│   └── en.json             # English translations
-├── static/
-│   ├── css/
-│   │   └── ep_media_upload.css   # Modal styles
-│   └── js/
-│       └── clientHooks.js        # Client-side upload logic
-└── templates/
-    ├── uploadButton.ejs          # Toolbar button HTML
-    └── uploadModal.ejs           # Progress/error modal HTML
+AWS_ACCESS_KEY_ID=...
+AWS_SECRET_ACCESS_KEY=...
 ```
 
----
-
-## Hook Registration (ep.json)
-
-### Client Hooks
-- `postToolbarInit` – Register toolbar button command
-- `postAceInit` – (Optional) Any initialization after editor ready
-
-### Server Hooks
-- `eejsBlock_editbarMenuLeft` – Inject toolbar button HTML
-- `eejsBlock_body` – Inject modal HTML
-- `expressConfigure` – Register `/p/:padId/pluginfw/ep_media_upload/s3_presign` endpoint
-- `clientVars` – Pass config to client (fileTypes, maxFileSize, storageType)
-- `loadSettings` – Sync settings to runtime
+## S3 Setup
 
----
+### Block Public Access
 
-## Server Endpoint: Presign
+All four "Block Public Access" settings can be enabled since downloads go through Etherpad.
 
-### Route
-```
-GET /p/:padId/pluginfw/ep_media_upload/s3_presign?name=<filename>&type=<mimetype>
-```
-
-### Authentication
-- Validates session (cookie-based or express session)
-- Rate limiting: Max 30 requests per IP per minute (configurable)
+### CORS (for uploads)
 
-### Response
 ```json
-{
-  "signedUrl": "https://bucket.s3.region.amazonaws.com/padId/uuid.ext?...",
-  "publicUrl": "https://cdn.example.com/padId/uuid.ext"
-}
-```
-
-### Security
-- File extension validated against allowed `fileTypes`
-- Unique filename generated: `<padId>/<uuid>.<ext>`
-- MIME type passed to S3 for proper Content-Type header
-
----
-
-## Client Upload Flow
-
-1. User clicks paperclip button
-2. File picker opens (native `<input type="file">`)
-3. User selects file
-4. **Validation** (client-side):
-   - Check file extension against `clientVars.ep_media_upload.fileTypes`
-   - Check file size against `clientVars.ep_media_upload.maxFileSize`
-   - Show error modal if validation fails
-5. **Show upload modal** with "Uploading..." state
-6. **Request presigned URL** from server
-7. **PUT file to S3** using presigned URL
-8. **On success**:
-   - Show brief success message
-   - Dismiss modal
-   - Insert hyperlink at cursor position using `ace_doInsertMediaLink()`
-9. **On failure**:
-   - Show error message in modal
-   - User dismisses manually
-
----
-
-## Hyperlink Insertion
-
-Uses the same mechanism as `ep_hyperlinked_text`:
-
-```javascript
-// Insert text with hyperlink attribute
-const filename = file.name;  // e.g., "report.pdf"
-const url = publicUrl;       // e.g., "https://cdn.example.com/padId/abc123.pdf"
-
-// Insert filename text at cursor
-editorInfo.ace_replaceRange(cursorPos, cursorPos, filename);
-
-// Apply hyperlink attribute to the inserted text
-docMan.setAttributesOnRange(
-  [cursorPos[0], cursorPos[1]],
-  [cursorPos[0], cursorPos[1] + filename.length],
-  [['hyperlink', url]]
-);
+[{
+  "AllowedOrigins": ["https://your-etherpad-domain.com"],
+  "AllowedMethods": ["PUT"],
+  "AllowedHeaders": ["Content-Type", "Content-Disposition"],
+  "MaxAgeSeconds": 3000
+}]
 ```
 
-This ensures:
-- Full compatibility with ep_hyperlinked_text rendering
-- Clickable links that open in new tab
-- Proper HTML export with `<a>` tags
-
----
-
-## Error Handling
-
-| Error | User Message |
-|-------|--------------|
-| Invalid file type | "File type not allowed. Allowed types: pdf, doc, ..." |
-| File too large | "File is too large. Maximum size: 50 MB." |
-| Presign request failed | "Upload failed. Please try again." |
-| S3 upload failed | "Upload failed. Please try again." |
-| Network error | "Network error. Please check your connection." |
-
----
-
-## Compatibility Notes
-
-- **Etherpad version**: Requires >= 1.8.6 (for ESM Settings module compatibility)
-- **Node.js version**: >= 18.0.0
-- **ep_hyperlinked_text**: Fully compatible – inserted links render/export identically
-- **Read-only pads**: Upload button automatically hidden
-
----
+### IAM Permissions
 
-## Security Considerations
+- `s3:PutObject`
+- `s3:GetObject`
 
-1. **No server-side file handling**: Files never touch the Etherpad server
-2. **Authentication required**: Presign endpoint validates session
-3. **Rate limiting**: Prevents presign endpoint abuse
-4. **File type allowlist**: Only configured extensions accepted
-5. **Unique filenames**: UUIDs prevent enumeration/overwrites
-6. **CORS on S3**: Bucket must allow PUT from pad origins
+## Security
 
----
-
-## S3 Bucket CORS Configuration
-
-Required CORS policy for the S3 bucket:
-
-```json
-[
-  {
-    "AllowedOrigins": ["https://your-etherpad-domain.com"],
-    "AllowedMethods": ["PUT"],
-    "AllowedHeaders": ["Content-Type"],
-    "MaxAgeSeconds": 3000
-  }
-]
-```
-
----
+- **Authentication**: All endpoints require valid Etherpad session
+- **Fail-closed**: Requests denied if security module unavailable  
+- **Rate limiting**: 30 requests/IP/minute
+- **Input validation**: Path traversal protection on all parameters
+- **Short-lived URLs**: Download links expire quickly (configurable)
+- **Audit logging**: All uploads/downloads logged
 
 ## Dependencies
 
-```json
-{
-  "dependencies": {
-    "@aws-sdk/client-s3": "^3.555.0",
-    "@aws-sdk/s3-request-presigner": "^3.555.0"
-  },
-  "peerDependencies": {
-    "ep_etherpad-lite": ">=1.8.6"
-  }
-}
-```
-
+- `@aws-sdk/client-s3`
+- `@aws-sdk/s3-request-presigner`
+- `ep_etherpad-lite` >= 1.8.6

package/ep.json

@@ -10,7 +10,7 @@
       "hooks": {
         "eejsBlock_editbarMenuLeft": "ep_media_upload/index",
         "eejsBlock_body": "ep_media_upload/index",
-        "expressConfigure": "ep_media_upload/index",
+        "expressCreateServer": "ep_media_upload/index",
         "clientVars": "ep_media_upload/index",
         "loadSettings": "ep_media_upload/index"
       }

package/index.js

@@ -17,9 +17,9 @@ try {
 }
 
 // AWS SDK v3 for presigned URLs
-let S3Client, PutObjectCommand, getSignedUrl;
+let S3Client, PutObjectCommand, GetObjectCommand, getSignedUrl;
 try {
-  ({ S3Client, PutObjectCommand } = require('@aws-sdk/client-s3'));
+  ({ S3Client, PutObjectCommand, GetObjectCommand } = require('@aws-sdk/client-s3'));
   ({ getSignedUrl } = require('@aws-sdk/s3-request-presigner'));
 } catch (e) {
   console.warn('[ep_media_upload] AWS SDK not installed; s3_presigned storage will not work.');
@@ -72,17 +72,26 @@ const _rateLimitCheck = (ip) => {
 /**
  * Validate padId to prevent path traversal and injection attacks.
  * Returns true if valid, false if invalid.
+ * 
+ * Etherpad pad IDs can contain various characters including:
+ * - Alphanumeric, hyphens, underscores
+ * - Dots and colons (common in pad names)
+ * - $ (for group pads, e.g., g.xxxxxxxx$padName)
+ * 
+ * We use a blocklist approach to reject only dangerous patterns.
  */
 const isValidPadId = (padId) => {
   if (!padId || typeof padId !== 'string') return false;
+  if (padId.length === 0 || padId.length > 500) return false; // Reasonable length limits
   // Reject path traversal sequences
   if (padId.includes('..')) return false;
   // Reject null bytes
   if (padId.includes('\0')) return false;
-  // Allow alphanumeric, hyphens, underscores, and $ (for group pads)
-  // This is permissive but still prevents dangerous characters
-  const safePattern = /^[a-zA-Z0-9_\-$]+$/;
-  return safePattern.test(padId);
+  // Reject slashes (forward and back) to prevent path manipulation
+  if (padId.includes('/') || padId.includes('\\')) return false;
+  // Reject control characters (ASCII 0-31)
+  if (/[\x00-\x1f]/.test(padId)) return false;
+  return true;
 };
 
 /**
@@ -163,6 +172,24 @@ const isValidMimeForExtension = (extension, mimeType) => {
   return allowedMimes.some(allowed => allowed === normalizedMime);
 };
 
+/**
+ * Validate file ID for download endpoint.
+ * File ID format: UUID (with hyphens) + dot + extension
+ * Example: "a1b2c3d4-e5f6-7890-abcd-ef1234567890.pdf"
+ * Returns true if valid, false if invalid.
+ */
+const isValidFileId = (fileId) => {
+  if (!fileId || typeof fileId !== 'string') return false;
+  if (fileId.length > 100) return false; // UUID (36) + dot (1) + extension (max ~10)
+  // Reject path traversal and dangerous characters
+  if (fileId.includes('..') || fileId.includes('/') || fileId.includes('\\')) return false;
+  if (fileId.includes('\0')) return false;
+  // Must match: UUID format (with hyphens) + dot + alphanumeric extension
+  // UUID: 8-4-4-4-12 hex chars with hyphens = 36 chars
+  if (!/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\.[a-z0-9]+$/i.test(fileId)) return false;
+  return true;
+};
+
 // ============================================================================
 // Hooks
 // ============================================================================
@@ -231,10 +258,10 @@ exports.eejsBlock_body = (hookName, args, cb) => {
 };
 
 /**
- * expressConfigure hook
- * Register the S3 presign endpoint
+ * expressCreateServer hook
+ * Register the S3 presign and download endpoints
  */
-exports.expressConfigure = (hookName, context) => {
+exports.expressCreateServer = (hookName, context) => {
   logger.info('[ep_media_upload] Registering presign endpoint');
 
   // Route: GET /p/:padId/pluginfw/ep_media_upload/s3_presign
@@ -248,27 +275,24 @@ exports.expressConfigure = (hookName, context) => {
 
     /* ------------------ Pad Access Verification ------------------ */
     // Use Etherpad's SecurityManager to verify user has access to this pad
-    if (securityManager) {
-      try {
-        const sessionCookie = req.cookies?.sessionID || null;
-        const token = req.cookies?.token || null;
-        const user = req.session?.user || null;
-
-        const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
-        if (accessResult.accessStatus !== 'grant') {
-          return res.status(403).json({ error: 'Access denied to this pad' });
-        }
-      } catch (authErr) {
-        logger.error('[ep_media_upload] Access check error:', authErr);
-        return res.status(500).json({ error: 'Access verification failed' });
-      }
-    } else {
-      // Fallback: basic cookie check if SecurityManager unavailable
-      const hasExpressSession = req.session && (req.session.user || req.session.authorId);
-      const hasPadCookie = req.cookies && (req.cookies.sessionID || req.cookies.token);
-      if (!hasExpressSession && !hasPadCookie) {
-        return res.status(401).json({ error: 'Authentication required' });
+    // SECURITY: Fail closed - if SecurityManager is unavailable, deny all requests
+    if (!securityManager) {
+      logger.error('[ep_media_upload] SECURITY: SecurityManager unavailable - denying upload request. This should not happen in a properly configured Etherpad instance.');
+      return res.status(500).json({ error: 'Security module unavailable' });
+    }
+
+    try {
+      const sessionCookie = req.cookies?.sessionID || null;
+      const token = req.cookies?.token || null;
+      const user = req.session?.user || null;
+
+      const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
+      if (accessResult.accessStatus !== 'grant') {
+        return res.status(403).json({ error: 'Access denied to this pad' });
       }
+    } catch (authErr) {
+      logger.error('[ep_media_upload] Access check error:', authErr);
+      return res.status(500).json({ error: 'Access verification failed' });
     }
 
     /* ------------------ Rate limiting --------------------- */
@@ -287,7 +311,7 @@ exports.expressConfigure = (hookName, context) => {
         return res.status(500).json({ error: 'AWS SDK not available on server' });
       }
 
-      const { bucket, region, publicURL, expires, keyPrefix } = storageCfg;
+      const { bucket, region, expires, keyPrefix } = storageCfg;
       if (!bucket || !region) {
         return res.status(500).json({ error: 'Invalid S3 configuration: missing bucket or region' });
       }
@@ -330,32 +354,134 @@ exports.expressConfigure = (hookName, context) => {
       // This ensures files download with their original name instead of the UUID
       const originalFilename = path.basename(name);
       const safeFilename = originalFilename.replace(/[^\w\-_.]/g, '_'); // Sanitize for header
+      const contentDisposition = `attachment; filename="${safeFilename}"`;
 
       const putCommand = new PutObjectCommand({
         Bucket: bucket,
         Key: key,
         ContentType: type,
         // Force download instead of opening in browser
-        ContentDisposition: `attachment; filename="${safeFilename}"`,
+        ContentDisposition: contentDisposition,
       });
 
       const signedUrl = await getSignedUrl(s3Client, putCommand, { expiresIn: expires || 600 });
 
-      // Build public URL:
-      // - If custom publicURL is set (e.g., CDN), it already includes the prefix path
-      // - If no publicURL, use direct S3 URL with full key
-      let publicUrl;
-      if (publicURL) {
-        publicUrl = new url.URL(objectPath, publicURL).toString();
-      } else {
-        const s3Base = `https://${bucket}.s3.${region}.amazonaws.com/`;
-        publicUrl = new url.URL(key, s3Base).toString();
-      }
+      // Build secure download URL (relative path that goes through our auth-protected endpoint)
+      // Using query parameter for fileId to ensure Express 4/5 compatibility (path params don't handle dots well in Express 5)
+      const fileId = path.basename(key); // e.g., "abc123-def456.pdf"
+      const downloadUrl = `/p/${encodeURIComponent(padId)}/pluginfw/ep_media_upload/download?file=${encodeURIComponent(fileId)}`;
 
-      return res.json({ signedUrl, publicUrl });
+      // Log upload request for audit trail
+      // Note: Never log tokens or session cookies - only non-sensitive identifiers
+      const userId = req.session?.user?.username || req.session?.authorId || 'anonymous';
+      logger.info(`[ep_media_upload] UPLOAD: user="${userId}" pad="${padId}" file="${originalFilename}" s3key="${key}"`);
+
+      // Return downloadUrl for hyperlink insertion (authenticated download endpoint)
+      // Also return signedUrl for the actual S3 upload and contentDisposition for PUT headers
+      return res.json({ signedUrl, downloadUrl, contentDisposition });
     } catch (err) {
       logger.error('[ep_media_upload] S3 presign error', err);
       return res.status(500).json({ error: 'Failed to generate presigned URL' });
     }
   });
+
+  // ============================================================================
+  // Download Endpoint - Secure file access via presigned GET URL redirect
+  // ============================================================================
+  // Route: GET /p/:padId/pluginfw/ep_media_upload/download?file=<fileId>
+  // Using query parameter for fileId to ensure Express 4/5 compatibility
+  logger.info('[ep_media_upload] Registering download endpoint');
+
+  context.app.get('/p/:padId/pluginfw/ep_media_upload/download', async (req, res) => {
+    const { padId } = req.params;
+    const fileId = req.query.file;
+
+    /* ------------------ Validate padId ------------------ */
+    if (!isValidPadId(padId)) {
+      return res.status(400).json({ error: 'Invalid pad ID' });
+    }
+
+    /* ------------------ Validate fileId ------------------ */
+    if (!isValidFileId(fileId)) {
+      return res.status(400).json({ error: 'Invalid file ID' });
+    }
+
+    /* ------------------ Pad Access Verification ------------------ */
+    // Use Etherpad's SecurityManager to verify user has access to this pad
+    // SECURITY: Fail closed - if SecurityManager is unavailable, deny all requests
+    if (!securityManager) {
+      logger.error('[ep_media_upload] SECURITY: SecurityManager unavailable - denying download request. This should not happen in a properly configured Etherpad instance.');
+      return res.status(500).json({ error: 'Security module unavailable' });
+    }
+
+    try {
+      const sessionCookie = req.cookies?.sessionID || null;
+      const token = req.cookies?.token || null;
+      const user = req.session?.user || null;
+
+      const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
+      if (accessResult.accessStatus !== 'grant') {
+        return res.status(403).json({ error: 'Access denied to this pad' });
+      }
+    } catch (authErr) {
+      logger.error('[ep_media_upload] Download access check error:', authErr);
+      return res.status(500).json({ error: 'Access verification failed' });
+    }
+
+    /* ------------------ Rate limiting --------------------- */
+    const ip = req.ip || req.headers['x-forwarded-for'] || req.connection?.remoteAddress || 'unknown';
+    if (!_rateLimitCheck(ip)) {
+      return res.status(429).json({ error: 'Too many download requests' });
+    }
+
+    try {
+      const storageCfg = settings.ep_media_upload && settings.ep_media_upload.storage;
+      if (!storageCfg || storageCfg.type !== 's3_presigned') {
+        return res.status(400).json({ error: 's3_presigned storage not configured' });
+      }
+
+      if (!S3Client || !GetObjectCommand || !getSignedUrl) {
+        return res.status(500).json({ error: 'AWS SDK not available on server' });
+      }
+
+      const { bucket, region, keyPrefix, downloadExpires } = storageCfg;
+      if (!bucket || !region) {
+        return res.status(500).json({ error: 'Invalid S3 configuration: missing bucket or region' });
+      }
+
+      // Construct S3 key from padId and fileId
+      // Key format: keyPrefix + padId + "/" + fileId
+      // e.g., "uploads/myPad/abc123-def456.pdf"
+      const prefix = keyPrefix || '';
+      const key = `${prefix}${padId}/${fileId}`;
+
+      // Generate presigned GET URL with short expiry
+      const s3Client = new S3Client({ region });
+      const getCommand = new GetObjectCommand({
+        Bucket: bucket,
+        Key: key,
+      });
+
+      // Use downloadExpires from config, default to 300 seconds (5 minutes)
+      const expiresIn = downloadExpires || 300;
+      const presignedGetUrl = await getSignedUrl(s3Client, getCommand, { expiresIn });
+
+      // Log download request for audit trail
+      const userId = req.session?.user?.username || req.session?.authorId || 'anonymous';
+      logger.info(`[ep_media_upload] DOWNLOAD: user="${userId}" pad="${padId}" file="${fileId}"`);
+
+      // Redirect to the presigned URL
+      return res.redirect(302, presignedGetUrl);
+
+    } catch (err) {
+      logger.error('[ep_media_upload] Download presign error:', err);
+      
+      // Check if this is a "NoSuchKey" error (file doesn't exist in S3)
+      if (err.name === 'NoSuchKey' || err.Code === 'NoSuchKey') {
+        return res.status(404).json({ error: 'File not found' });
+      }
+      
+      return res.status(500).json({ error: 'Failed to generate download URL' });
+    }
+  });
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ep_media_upload",
-  "description": "beta - Upload files to S3 and insert hyperlinks into the pad. Compatible with ep_hyperlinked_text.",
-  "version": "0.1.0",
+  "description": "beta - Upload files to S3 and insert hyperlinks into the pad. Requires ep_hyperlinked_text.",
+  "version": "0.2.0",
   "author": {
     "name": "DCastelone",
     "url": "https://github.com/dcastelone"
@@ -12,7 +12,8 @@
     "@aws-sdk/s3-request-presigner": "^3.555.0"
   },
   "peerDependencies": {
-    "ep_etherpad-lite": ">=1.8.6"
+    "ep_etherpad-lite": ">=1.8.6",
+    "ep_hyperlinked_text": "*"
   },
   "engines": {
     "node": ">=18.0.0"

package/static/css/ep_media_upload.css

@@ -50,28 +50,6 @@
   }
 }
 
-/* Icons */
-.ep-media-upload-icon {
-  width: 48px;
-  height: 48px;
-  border-radius: 50%;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  font-size: 24px;
-  font-weight: bold;
-}
-
-.ep-media-upload-icon-success {
-  background-color: #e6f4ea;
-  color: #1e8e3e;
-}
-
-.ep-media-upload-icon-error {
-  background-color: #fce8e6;
-  color: #d93025;
-}
-
 /* Message text */
 .ep-media-upload-message {
   margin: 0;
@@ -107,9 +85,16 @@
   outline-offset: 2px;
 }
 
-/* Toolbar button icon - paperclip */
-.buttonicon-attachment::before {
-  content: "📎";
-  font-size: 16px;
+/* Toolbar button icon - upload file SVG */
+.buttonicon-attachment {
+  background-image: url('../images/upload-file-svgrepo-com.svg');
+  background-size: 16px 16px;
+  background-repeat: no-repeat;
+  background-position: center;
+  width: 16px;
+  height: 16px;
 }
 
+.buttonicon-attachment::before {
+  content: "";
+}

package/static/images/upload-file-svgrepo-com.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 24 24" width="512" height="512"><path d="M21,3H12.236L8.236,1H3C1.346,1,0,2.346,0,4V23H9v-2H2V9H22v12h-7v2h9V6c0-1.654-1.346-3-3-3ZM2,7v-3c0-.552,.449-1,1-1H7.764l4,2h9.236c.551,0,1,.448,1,1v1H2ZM13,15.003v7.997h-2V14.992l-2.291,2.301-1.414-1.414,3.298-3.298c.375-.376,.875-.583,1.406-.583h0c.531,0,1.031,.207,1.406,.584l3.298,3.297-1.414,1.414-2.291-2.29Z"/></svg>

package/static/js/clientHooks.js

@@ -18,19 +18,15 @@ let _aceContext = null;
 const showModal = (state = 'progress') => {
   const modal = $('#mediaUploadModal');
   const progressEl = $('#mediaUploadProgress');
-  const successEl = $('#mediaUploadSuccess');
   const errorEl = $('#mediaUploadError');
 
   // Hide all states
   progressEl.hide();
-  successEl.hide();
   errorEl.hide();
 
   // Show requested state
   if (state === 'progress') {
     progressEl.show();
-  } else if (state === 'success') {
-    successEl.show();
   } else if (state === 'error') {
     errorEl.show();
   }
@@ -43,18 +39,11 @@ const hideModal = () => {
 };
 
 const showError = (message) => {
-  $('.ep-media-upload-error-text').text(message);
+  const errorText = message || 'Upload failed.';
+  $('.ep-media-upload-error-text').text(errorText);
   showModal('error');
 };
 
-const showSuccess = () => {
-  showModal('success');
-  // Auto-hide after 1.5 seconds
-  setTimeout(() => {
-    hideModal();
-  }, 1500);
-};
-
 /**
  * Validate file against configured restrictions
  */
@@ -89,6 +78,7 @@ const validateFile = (file) => {
 
 /**
  * Upload file to S3 using presigned URL
+ * Returns the secure download URL (relative path to our authenticated endpoint)
  */
 const uploadToS3 = async (file) => {
   // Step 1: Get presigned URL from server
@@ -97,14 +87,20 @@ const uploadToS3 = async (file) => {
     `${encodeURIComponent(clientVars.padId)}/pluginfw/ep_media_upload/s3_presign?${queryParams}`
   );
 
-  if (!presignResponse || !presignResponse.signedUrl || !presignResponse.publicUrl) {
+  if (!presignResponse || !presignResponse.signedUrl || !presignResponse.downloadUrl) {
     throw new Error('Invalid presign response from server');
   }
 
   // Step 2: Upload directly to S3
+  // Must include Content-Disposition header as it's part of the presigned URL signature
+  const headers = { 'Content-Type': file.type };
+  if (presignResponse.contentDisposition) {
+    headers['Content-Disposition'] = presignResponse.contentDisposition;
+  }
+
   const uploadResponse = await fetch(presignResponse.signedUrl, {
     method: 'PUT',
-    headers: { 'Content-Type': file.type },
+    headers,
     body: file,
   });
 
@@ -112,7 +108,8 @@ const uploadToS3 = async (file) => {
     throw new Error(`S3 upload failed with status ${uploadResponse.status}`);
   }
 
-  return presignResponse.publicUrl;
+  // Return the secure download URL (authenticated endpoint, not direct S3)
+  return presignResponse.downloadUrl;
 };
 
 /**
@@ -164,20 +161,30 @@ const handleFileUpload = async (file, aceContext) => {
   showModal('progress');
 
   try {
-    // Upload to S3
-    const publicUrl = await uploadToS3(file);
+    // Upload to S3 and get secure download URL
+    const downloadUrl = await uploadToS3(file);
 
-    // Insert hyperlink into document
+    // Insert hyperlink into document (uses authenticated download endpoint)
     aceContext.callWithAce((ace) => {
-      ace.ace_doInsertMediaLink(publicUrl, file.name);
+      ace.ace_doInsertMediaLink(downloadUrl, file.name);
     }, 'insertMediaLink', true);
 
-    // Show success
-    showSuccess();
+    // Hide modal on success (no success message needed)
+    hideModal();
 
   } catch (err) {
     console.error('[ep_media_upload] Upload failed:', err);
-    const errorMsg = html10n.get('ep_media_upload.error.uploadFailed') || 'Upload failed. Please try again.';
+    // Extract error message from various error formats
+    let errorMsg = 'Upload failed.';
+    if (err.responseJSON && err.responseJSON.error) {
+      // jQuery AJAX error with JSON response
+      errorMsg = err.responseJSON.error;
+    } else if (err.message) {
+      // Standard Error object
+      errorMsg = err.message;
+    } else if (typeof err === 'string') {
+      errorMsg = err;
+    }
     showError(errorMsg);
   }
 };

package/templates/uploadModal.ejs

@@ -4,15 +4,9 @@
       <div class="ep-media-upload-spinner"></div>
       <p class="ep-media-upload-message" data-l10n-id="ep_media_upload.status.uploading">Uploading...</p>
     </div>
-    <div id="mediaUploadSuccess" class="ep-media-upload-state" style="display: none;">
-      <div class="ep-media-upload-icon ep-media-upload-icon-success">✓</div>
-      <p class="ep-media-upload-message" data-l10n-id="ep_media_upload.status.success">Upload complete!</p>
-    </div>
     <div id="mediaUploadError" class="ep-media-upload-state" style="display: none;">
-      <div class="ep-media-upload-icon ep-media-upload-icon-error">✕</div>
-      <p class="ep-media-upload-message ep-media-upload-error-text"></p>
+      <p class="ep-media-upload-message ep-media-upload-error-text">Upload failed.</p>
       <button id="mediaUploadErrorClose" class="ep-media-upload-btn" data-l10n-id="ep_media_upload.button.close">Close</button>
     </div>
   </div>
 </div>
-