ep_media_upload 0.1.1 → 0.2.0

package/README.md

@@ -1,266 +1,95 @@
-# ep_media_upload – BETA: Etherpad Media Upload Plugin
+# ep_media_upload
 
-## Overview
+Etherpad plugin for secure file uploads via S3 presigned URLs.
 
-A lightweight Etherpad plugin that adds file upload capability via an S3 presigned URL workflow. Upon successful upload, a hyperlink is inserted into the document using the same format as `ep_hyperlinked_text`. NOTE: this currently REQUIRES ep_hyperlinked_text to work.
+**Requires:** `ep_hyperlinked_text`
 
----
+## How It Works
 
-## Features
+1. User clicks paperclip button → selects file
+2. Client uploads directly to S3 (server never handles file data)
+3. Hyperlink inserted into document pointing to secure download endpoint
+4. On click, Etherpad verifies access and redirects to short-lived S3 URL
 
-### Toolbar Integration
-- **Paperclip icon** button in the left editbar menu
-- Button is **hidden in read-only mode** (uses `acl-write` class)
-- Triggers native file picker dialog on click
+**S3 bucket can be completely private** – downloads go through authenticated Etherpad endpoint.
 
-### Upload Workflow
-- **Client-side presigned URL pattern** (identical to ep_images_extended)
-  1. Client requests presigned PUT URL from Etherpad server
-  2. Server generates presigned URL using AWS SDK v3 (credentials from environment variables, not settings.json)
-  3. Client uploads file directly to S3 (server never touches file)
-  4. On success, client inserts hyperlink into document
-- **No base64 or local storage options** – S3 only
-- **Scalable & secure**: Server only generates presigned URLs, no file handling
+## Configuration
 
-### File Restrictions
-- **Allowed file types**: Configurable via `settings.json` (array of extensions without dots)
-- **Maximum file size**: Configurable via `settings.json` (in bytes)
+### settings.json
 
-### Document Integration
-- On upload success, inserts a **hyperlink** into the document
-- **Link text**: Original filename (e.g., "quarterly-report.pdf")
-- **Link URL**: S3 public/CDN URL for direct download
-- **Hyperlink format**: 100% compatible with `ep_hyperlinked_text` plugin
-  - Uses `hyperlink` attribute with URL value
-  - Renders as clickable `<a>` tag with `target="_blank"`
-
-### Upload Feedback UI
-- **Progress modal** during upload:
-  - Shows "Uploading..." message
-  - Basic visual indicator (e.g., spinner or progress text)
-- **Success state**: Brief confirmation, then modal dismisses
-- **Error state**: Shows error message with dismiss button
-- Modal positioned center-screen (similar to ep_images_extended loader)
-
----
-
-## Configuration (settings.json)
-
-```jsonc
+```json
 "ep_media_upload": {
   "storage": {
-    "type": "s3_presigned",       // Only supported type
-    "region": "us-east-1",        // AWS region
-    "bucket": "my-bucket-name",   // S3 bucket name
-    "keyPrefix": "uploads/",      // Optional S3 key prefix (for CloudFront path-based routing)
-    "publicURL": "https://cdn.example.com/uploads/",  // Optional CDN URL (should include prefix if using keyPrefix)
-    "expires": 900                // Presigned URL expiry in seconds (default 600)
+    "type": "s3_presigned",
+    "region": "us-east-1",
+    "bucket": "my-bucket-name",
+    "keyPrefix": "uploads/",
+    "expires": 900,
+    "downloadExpires": 300
   },
-  "fileTypes": ["pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "mp3", "mp4", "wav", "mov", "zip", "txt"],
-  "maxFileSize": 52428800         // 50 MB in bytes
+  "fileTypes": ["pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "txt", "zip"],
+  "maxFileSize": 52428800
 }
 ```
 
-### Storage Options Explained
+### Storage Options
 
-| Option | Description |
-|--------|-------------|
-| `type` | Must be `"s3_presigned"` (only supported storage type) |
-| `region` | AWS region (e.g., `"us-east-1"`) |
-| `bucket` | S3 bucket name |
-| `keyPrefix` | Optional prefix for S3 keys (e.g., `"uploads/"` → keys become `uploads/padId/uuid.ext`) |
-| `publicURL` | Optional CDN/custom URL base. If using `keyPrefix`, include it in this URL. |
-| `expires` | Presigned URL expiry in seconds (default: 600) |
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `type` | Yes | — | Must be `"s3_presigned"` |
+| `region` | Yes | — | AWS region (e.g., `"us-east-1"`) |
+| `bucket` | Yes | — | S3 bucket name |
+| `keyPrefix` | No | `""` | Prefix for S3 keys (e.g., `"uploads/"`) |
+| `expires` | No | `600` | Upload URL expiry in seconds (10 min) |
+| `downloadExpires` | No | `300` | Download URL expiry in seconds (5 min) |
 
-**Example with CloudFront path-based routing:**
-```jsonc
-"storage": {
-  "type": "s3_presigned",
-  "region": "us-east-1",
-  "bucket": "my-bucket",
-  "keyPrefix": "uploads/",                              // S3 key: uploads/padId/uuid.pdf
-  "publicURL": "https://d123.cloudfront.net/uploads/"   // Public URL includes prefix
-}
-```
-
-### Environment Variables (AWS Credentials)
-- `AWS_ACCESS_KEY_ID`
-- `AWS_SECRET_ACCESS_KEY`
-- `AWS_SESSION_TOKEN` (optional, for temporary credentials)
+### Other Options
 
----
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `fileTypes` | No | all | Array of allowed extensions (without dots) |
+| `maxFileSize` | No | unlimited | Max file size in bytes |
 
-## File Structure
+### Environment Variables
 
 ```
-ep_media_upload/
-├── ep.json                 # Plugin manifest (hooks registration)
-├── index.js                # Server-side hooks (presign endpoint, clientVars)
-├── package.json            # NPM package definition
-├── locales/
-│   └── en.json             # English translations
-├── static/
-│   ├── css/
-│   │   └── ep_media_upload.css   # Modal styles
-│   └── js/
-│       └── clientHooks.js        # Client-side upload logic
-└── templates/
-    ├── uploadButton.ejs          # Toolbar button HTML
-    └── uploadModal.ejs           # Progress/error modal HTML
+AWS_ACCESS_KEY_ID=...
+AWS_SECRET_ACCESS_KEY=...
 ```
 
----
-
-## Hook Registration (ep.json)
-
-### Client Hooks
-- `postToolbarInit` – Register toolbar button command
-- `postAceInit` – (Optional) Any initialization after editor ready
-
-### Server Hooks
-- `eejsBlock_editbarMenuLeft` – Inject toolbar button HTML
-- `eejsBlock_body` – Inject modal HTML
-- `expressConfigure` – Register `/p/:padId/pluginfw/ep_media_upload/s3_presign` endpoint
-- `clientVars` – Pass config to client (fileTypes, maxFileSize, storageType)
-- `loadSettings` – Sync settings to runtime
+## S3 Setup
 
----
+### Block Public Access
 
-## Server Endpoint: Presign
+All four "Block Public Access" settings can be enabled since downloads go through Etherpad.
 
-### Route
-```
-GET /p/:padId/pluginfw/ep_media_upload/s3_presign?name=<filename>&type=<mimetype>
-```
-
-### Authentication
-- Validates session (cookie-based or express session)
-- Rate limiting: Max 30 requests per IP per minute (configurable)
+### CORS (for uploads)
 
-### Response
 ```json
-{
-  "signedUrl": "https://bucket.s3.region.amazonaws.com/padId/uuid.ext?...",
-  "publicUrl": "https://cdn.example.com/padId/uuid.ext"
-}
-```
-
-### Security
-- File extension validated against allowed `fileTypes`
-- Unique filename generated: `<padId>/<uuid>.<ext>`
-- MIME type passed to S3 for proper Content-Type header
-
----
-
-## Client Upload Flow
-
-1. User clicks paperclip button
-2. File picker opens (native `<input type="file">`)
-3. User selects file
-4. **Validation** (client-side):
-   - Check file extension against `clientVars.ep_media_upload.fileTypes`
-   - Check file size against `clientVars.ep_media_upload.maxFileSize`
-   - Show error modal if validation fails
-5. **Show upload modal** with "Uploading..." state
-6. **Request presigned URL** from server
-7. **PUT file to S3** using presigned URL
-8. **On success**:
-   - Show brief success message
-   - Dismiss modal
-   - Insert hyperlink at cursor position using `ace_doInsertMediaLink()`
-9. **On failure**:
-   - Show error message in modal
-   - User dismisses manually
-
----
-
-## Hyperlink Insertion
-
-Uses the same mechanism as `ep_hyperlinked_text`:
-
-```javascript
-// Insert text with hyperlink attribute
-const filename = file.name;  // e.g., "report.pdf"
-const url = publicUrl;       // e.g., "https://cdn.example.com/padId/abc123.pdf"
-
-// Insert filename text at cursor
-editorInfo.ace_replaceRange(cursorPos, cursorPos, filename);
-
-// Apply hyperlink attribute to the inserted text
-docMan.setAttributesOnRange(
-  [cursorPos[0], cursorPos[1]],
-  [cursorPos[0], cursorPos[1] + filename.length],
-  [['hyperlink', url]]
-);
+[{
+  "AllowedOrigins": ["https://your-etherpad-domain.com"],
+  "AllowedMethods": ["PUT"],
+  "AllowedHeaders": ["Content-Type", "Content-Disposition"],
+  "MaxAgeSeconds": 3000
+}]
 ```
 
-This ensures:
-- Full compatibility with ep_hyperlinked_text rendering
-- Clickable links that open in new tab
-- Proper HTML export with `<a>` tags
-
----
-
-## Error Handling
-
-| Error | User Message |
-|-------|--------------|
-| Invalid file type | "File type not allowed. Allowed types: pdf, doc, ..." |
-| File too large | "File is too large. Maximum size: 50 MB." |
-| Presign request failed | "Upload failed. Please try again." |
-| S3 upload failed | "Upload failed. Please try again." |
-| Network error | "Network error. Please check your connection." |
-
----
-
-## Compatibility Notes
-
-- **Etherpad version**: Requires >= 1.8.6 (for ESM Settings module compatibility)
-- **Node.js version**: >= 18.0.0
-- **ep_hyperlinked_text**: **Required** – this plugin uses the `hyperlink` attribute which ep_hyperlinked_text renders as clickable links
-- **Read-only pads**: Upload button automatically hidden
-
----
+### IAM Permissions
 
-## Security Considerations
+- `s3:PutObject`
+- `s3:GetObject`
 
-1. **No server-side file handling**: Files never touch the Etherpad server
-2. **Authentication required**: Presign endpoint validates session
-3. **Rate limiting**: Prevents presign endpoint abuse
-4. **File type allowlist**: Only configured extensions accepted
-5. **Unique filenames**: UUIDs prevent enumeration/overwrites
-6. **CORS on S3**: Bucket must allow PUT from pad origins
+## Security
 
----
-
-## S3 Bucket CORS Configuration
-
-Required CORS policy for the S3 bucket:
-
-```json
-[
-  {
-    "AllowedOrigins": ["https://your-etherpad-domain.com"],
-    "AllowedMethods": ["PUT"],
-    "AllowedHeaders": ["Content-Type"],
-    "MaxAgeSeconds": 3000
-  }
-]
-```
-
----
+- **Authentication**: All endpoints require valid Etherpad session
+- **Fail-closed**: Requests denied if security module unavailable  
+- **Rate limiting**: 30 requests/IP/minute
+- **Input validation**: Path traversal protection on all parameters
+- **Short-lived URLs**: Download links expire quickly (configurable)
+- **Audit logging**: All uploads/downloads logged
 
 ## Dependencies
 
-```json
-{
-  "dependencies": {
-    "@aws-sdk/client-s3": "^3.555.0",
-    "@aws-sdk/s3-request-presigner": "^3.555.0"
-  },
-  "peerDependencies": {
-    "ep_etherpad-lite": ">=1.8.6"
-  }
-}
-```
-
+- `@aws-sdk/client-s3`
+- `@aws-sdk/s3-request-presigner`
+- `ep_etherpad-lite` >= 1.8.6

package/ep.json

@@ -10,7 +10,7 @@
       "hooks": {
         "eejsBlock_editbarMenuLeft": "ep_media_upload/index",
         "eejsBlock_body": "ep_media_upload/index",
-        "expressConfigure": "ep_media_upload/index",
+        "expressCreateServer": "ep_media_upload/index",
         "clientVars": "ep_media_upload/index",
         "loadSettings": "ep_media_upload/index"
       }

package/index.js

@@ -17,9 +17,9 @@ try {
 }
 
 // AWS SDK v3 for presigned URLs
-let S3Client, PutObjectCommand, getSignedUrl;
+let S3Client, PutObjectCommand, GetObjectCommand, getSignedUrl;
 try {
-  ({ S3Client, PutObjectCommand } = require('@aws-sdk/client-s3'));
+  ({ S3Client, PutObjectCommand, GetObjectCommand } = require('@aws-sdk/client-s3'));
   ({ getSignedUrl } = require('@aws-sdk/s3-request-presigner'));
 } catch (e) {
   console.warn('[ep_media_upload] AWS SDK not installed; s3_presigned storage will not work.');
@@ -172,6 +172,24 @@ const isValidMimeForExtension = (extension, mimeType) => {
   return allowedMimes.some(allowed => allowed === normalizedMime);
 };
 
+/**
+ * Validate file ID for download endpoint.
+ * File ID format: UUID (with hyphens) + dot + extension
+ * Example: "a1b2c3d4-e5f6-7890-abcd-ef1234567890.pdf"
+ * Returns true if valid, false if invalid.
+ */
+const isValidFileId = (fileId) => {
+  if (!fileId || typeof fileId !== 'string') return false;
+  if (fileId.length > 100) return false; // UUID (36) + dot (1) + extension (max ~10)
+  // Reject path traversal and dangerous characters
+  if (fileId.includes('..') || fileId.includes('/') || fileId.includes('\\')) return false;
+  if (fileId.includes('\0')) return false;
+  // Must match: UUID format (with hyphens) + dot + alphanumeric extension
+  // UUID: 8-4-4-4-12 hex chars with hyphens = 36 chars
+  if (!/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\.[a-z0-9]+$/i.test(fileId)) return false;
+  return true;
+};
+
 // ============================================================================
 // Hooks
 // ============================================================================
@@ -240,10 +258,10 @@ exports.eejsBlock_body = (hookName, args, cb) => {
 };
 
 /**
- * expressConfigure hook
- * Register the S3 presign endpoint
+ * expressCreateServer hook
+ * Register the S3 presign and download endpoints
  */
-exports.expressConfigure = (hookName, context) => {
+exports.expressCreateServer = (hookName, context) => {
   logger.info('[ep_media_upload] Registering presign endpoint');
 
   // Route: GET /p/:padId/pluginfw/ep_media_upload/s3_presign
@@ -257,27 +275,24 @@ exports.expressConfigure = (hookName, context) => {
 
     /* ------------------ Pad Access Verification ------------------ */
     // Use Etherpad's SecurityManager to verify user has access to this pad
-    if (securityManager) {
-      try {
-        const sessionCookie = req.cookies?.sessionID || null;
-        const token = req.cookies?.token || null;
-        const user = req.session?.user || null;
-
-        const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
-        if (accessResult.accessStatus !== 'grant') {
-          return res.status(403).json({ error: 'Access denied to this pad' });
-        }
-      } catch (authErr) {
-        logger.error('[ep_media_upload] Access check error:', authErr);
-        return res.status(500).json({ error: 'Access verification failed' });
-      }
-    } else {
-      // Fallback: basic cookie check if SecurityManager unavailable
-      const hasExpressSession = req.session && (req.session.user || req.session.authorId);
-      const hasPadCookie = req.cookies && (req.cookies.sessionID || req.cookies.token);
-      if (!hasExpressSession && !hasPadCookie) {
-        return res.status(401).json({ error: 'Authentication required' });
+    // SECURITY: Fail closed - if SecurityManager is unavailable, deny all requests
+    if (!securityManager) {
+      logger.error('[ep_media_upload] SECURITY: SecurityManager unavailable - denying upload request. This should not happen in a properly configured Etherpad instance.');
+      return res.status(500).json({ error: 'Security module unavailable' });
+    }
+
+    try {
+      const sessionCookie = req.cookies?.sessionID || null;
+      const token = req.cookies?.token || null;
+      const user = req.session?.user || null;
+
+      const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
+      if (accessResult.accessStatus !== 'grant') {
+        return res.status(403).json({ error: 'Access denied to this pad' });
       }
+    } catch (authErr) {
+      logger.error('[ep_media_upload] Access check error:', authErr);
+      return res.status(500).json({ error: 'Access verification failed' });
     }
 
     /* ------------------ Rate limiting --------------------- */
@@ -296,7 +311,7 @@ exports.expressConfigure = (hookName, context) => {
         return res.status(500).json({ error: 'AWS SDK not available on server' });
       }
 
-      const { bucket, region, publicURL, expires, keyPrefix } = storageCfg;
+      const { bucket, region, expires, keyPrefix } = storageCfg;
       if (!bucket || !region) {
         return res.status(500).json({ error: 'Invalid S3 configuration: missing bucket or region' });
       }
@@ -351,28 +366,122 @@ exports.expressConfigure = (hookName, context) => {
 
       const signedUrl = await getSignedUrl(s3Client, putCommand, { expiresIn: expires || 600 });
 
-      // Build public URL:
-      // - If custom publicURL is set (e.g., CDN), it already includes the prefix path
-      // - If no publicURL, use direct S3 URL with full key
-      let publicUrl;
-      if (publicURL) {
-        publicUrl = new url.URL(objectPath, publicURL).toString();
-      } else {
-        const s3Base = `https://${bucket}.s3.${region}.amazonaws.com/`;
-        publicUrl = new url.URL(key, s3Base).toString();
-      }
+      // Build secure download URL (relative path that goes through our auth-protected endpoint)
+      // Using query parameter for fileId to ensure Express 4/5 compatibility (path params don't handle dots well in Express 5)
+      const fileId = path.basename(key); // e.g., "abc123-def456.pdf"
+      const downloadUrl = `/p/${encodeURIComponent(padId)}/pluginfw/ep_media_upload/download?file=${encodeURIComponent(fileId)}`;
 
       // Log upload request for audit trail
       // Note: Never log tokens or session cookies - only non-sensitive identifiers
       const userId = req.session?.user?.username || req.session?.authorId || 'anonymous';
       logger.info(`[ep_media_upload] UPLOAD: user="${userId}" pad="${padId}" file="${originalFilename}" s3key="${key}"`);
 
-      // Return contentDisposition so client can include it in the PUT request
-      // (required because it's part of the presigned URL signature)
-      return res.json({ signedUrl, publicUrl, contentDisposition });
+      // Return downloadUrl for hyperlink insertion (authenticated download endpoint)
+      // Also return signedUrl for the actual S3 upload and contentDisposition for PUT headers
+      return res.json({ signedUrl, downloadUrl, contentDisposition });
     } catch (err) {
       logger.error('[ep_media_upload] S3 presign error', err);
       return res.status(500).json({ error: 'Failed to generate presigned URL' });
     }
   });
+
+  // ============================================================================
+  // Download Endpoint - Secure file access via presigned GET URL redirect
+  // ============================================================================
+  // Route: GET /p/:padId/pluginfw/ep_media_upload/download?file=<fileId>
+  // Using query parameter for fileId to ensure Express 4/5 compatibility
+  logger.info('[ep_media_upload] Registering download endpoint');
+
+  context.app.get('/p/:padId/pluginfw/ep_media_upload/download', async (req, res) => {
+    const { padId } = req.params;
+    const fileId = req.query.file;
+
+    /* ------------------ Validate padId ------------------ */
+    if (!isValidPadId(padId)) {
+      return res.status(400).json({ error: 'Invalid pad ID' });
+    }
+
+    /* ------------------ Validate fileId ------------------ */
+    if (!isValidFileId(fileId)) {
+      return res.status(400).json({ error: 'Invalid file ID' });
+    }
+
+    /* ------------------ Pad Access Verification ------------------ */
+    // Use Etherpad's SecurityManager to verify user has access to this pad
+    // SECURITY: Fail closed - if SecurityManager is unavailable, deny all requests
+    if (!securityManager) {
+      logger.error('[ep_media_upload] SECURITY: SecurityManager unavailable - denying download request. This should not happen in a properly configured Etherpad instance.');
+      return res.status(500).json({ error: 'Security module unavailable' });
+    }
+
+    try {
+      const sessionCookie = req.cookies?.sessionID || null;
+      const token = req.cookies?.token || null;
+      const user = req.session?.user || null;
+
+      const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
+      if (accessResult.accessStatus !== 'grant') {
+        return res.status(403).json({ error: 'Access denied to this pad' });
+      }
+    } catch (authErr) {
+      logger.error('[ep_media_upload] Download access check error:', authErr);
+      return res.status(500).json({ error: 'Access verification failed' });
+    }
+
+    /* ------------------ Rate limiting --------------------- */
+    const ip = req.ip || req.headers['x-forwarded-for'] || req.connection?.remoteAddress || 'unknown';
+    if (!_rateLimitCheck(ip)) {
+      return res.status(429).json({ error: 'Too many download requests' });
+    }
+
+    try {
+      const storageCfg = settings.ep_media_upload && settings.ep_media_upload.storage;
+      if (!storageCfg || storageCfg.type !== 's3_presigned') {
+        return res.status(400).json({ error: 's3_presigned storage not configured' });
+      }
+
+      if (!S3Client || !GetObjectCommand || !getSignedUrl) {
+        return res.status(500).json({ error: 'AWS SDK not available on server' });
+      }
+
+      const { bucket, region, keyPrefix, downloadExpires } = storageCfg;
+      if (!bucket || !region) {
+        return res.status(500).json({ error: 'Invalid S3 configuration: missing bucket or region' });
+      }
+
+      // Construct S3 key from padId and fileId
+      // Key format: keyPrefix + padId + "/" + fileId
+      // e.g., "uploads/myPad/abc123-def456.pdf"
+      const prefix = keyPrefix || '';
+      const key = `${prefix}${padId}/${fileId}`;
+
+      // Generate presigned GET URL with short expiry
+      const s3Client = new S3Client({ region });
+      const getCommand = new GetObjectCommand({
+        Bucket: bucket,
+        Key: key,
+      });
+
+      // Use downloadExpires from config, default to 300 seconds (5 minutes)
+      const expiresIn = downloadExpires || 300;
+      const presignedGetUrl = await getSignedUrl(s3Client, getCommand, { expiresIn });
+
+      // Log download request for audit trail
+      const userId = req.session?.user?.username || req.session?.authorId || 'anonymous';
+      logger.info(`[ep_media_upload] DOWNLOAD: user="${userId}" pad="${padId}" file="${fileId}"`);
+
+      // Redirect to the presigned URL
+      return res.redirect(302, presignedGetUrl);
+
+    } catch (err) {
+      logger.error('[ep_media_upload] Download presign error:', err);
+      
+      // Check if this is a "NoSuchKey" error (file doesn't exist in S3)
+      if (err.name === 'NoSuchKey' || err.Code === 'NoSuchKey') {
+        return res.status(404).json({ error: 'File not found' });
+      }
+      
+      return res.status(500).json({ error: 'Failed to generate download URL' });
+    }
+  });
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ep_media_upload",
   "description": "beta - Upload files to S3 and insert hyperlinks into the pad. Requires ep_hyperlinked_text.",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "author": {
     "name": "DCastelone",
     "url": "https://github.com/dcastelone"

package/static/js/clientHooks.js

@@ -78,6 +78,7 @@ const validateFile = (file) => {
 
 /**
  * Upload file to S3 using presigned URL
+ * Returns the secure download URL (relative path to our authenticated endpoint)
  */
 const uploadToS3 = async (file) => {
   // Step 1: Get presigned URL from server
@@ -86,7 +87,7 @@ const uploadToS3 = async (file) => {
     `${encodeURIComponent(clientVars.padId)}/pluginfw/ep_media_upload/s3_presign?${queryParams}`
   );
 
-  if (!presignResponse || !presignResponse.signedUrl || !presignResponse.publicUrl) {
+  if (!presignResponse || !presignResponse.signedUrl || !presignResponse.downloadUrl) {
     throw new Error('Invalid presign response from server');
   }
 
@@ -107,7 +108,8 @@ const uploadToS3 = async (file) => {
     throw new Error(`S3 upload failed with status ${uploadResponse.status}`);
   }
 
-  return presignResponse.publicUrl;
+  // Return the secure download URL (authenticated endpoint, not direct S3)
+  return presignResponse.downloadUrl;
 };
 
 /**
@@ -159,12 +161,12 @@ const handleFileUpload = async (file, aceContext) => {
   showModal('progress');
 
   try {
-    // Upload to S3
-    const publicUrl = await uploadToS3(file);
+    // Upload to S3 and get secure download URL
+    const downloadUrl = await uploadToS3(file);
 
-    // Insert hyperlink into document
+    // Insert hyperlink into document (uses authenticated download endpoint)
     aceContext.callWithAce((ace) => {
-      ace.ace_doInsertMediaLink(publicUrl, file.name);
+      ace.ace_doInsertMediaLink(downloadUrl, file.name);
     }, 'insertMediaLink', true);
 
     // Hide modal on success (no success message needed)