ethyca-fides 2.69.1b0__py2.py3-none-any.whl → 2.69.1b2__py2.py3-none-any.whl

fides/_version.py

@@ -8,11 +8,11 @@ import json
 
 version_json = '''
 {
- "date": "2025-08-29T09:36:26+0200",
+ "date": "2025-09-02T19:44:54+0200",
  "dirty": false,
  "error": null,
- "full-revisionid": "8d2c44366def55f6ef0bce42e3692c17c6d3fd18",
- "version": "2.69.1b0"
+ "full-revisionid": "be844cb784cc2f806cb1fe1d7d92cb8cc4c91ad4",
+ "version": "2.69.1b2"
 }
 '''  # END VERSION_JSON
 

fides/api/api/v1/endpoints/dsr_package_link.py

@@ -21,7 +21,7 @@ from fides.api.schemas.privacy_request import PrivacyRequestStatus
 from fides.api.schemas.storage.storage import StorageType
 from fides.api.service.storage.streaming.s3 import S3StorageClient
 from fides.api.util.api_router import APIRouter
-from fides.api.util.endpoint_utils import fides_limiter
+from fides.api.util.rate_limit import fides_limiter
 from fides.common.api.v1.urn_registry import PRIVACY_CENTER_DSR_PACKAGE, V1_URL_PREFIX
 from fides.config import CONFIG
 
@@ -62,7 +62,7 @@ def raise_error(status_code: int, detail: str) -> None:
     PRIVACY_CENTER_DSR_PACKAGE,
     status_code=HTTP_302_FOUND,
 )
-@fides_limiter.limit(CONFIG.security.public_request_rate_limit)
+@fides_limiter.limit(CONFIG.security.request_rate_limit)
 def get_access_results_urls(
     privacy_request_id: str,
     token: str,
@@ -155,7 +155,9 @@ def get_access_results_urls(
 
     try:
         # Use S3StorageClient for cleaner presigned URL generation
-        s3_storage_client = S3StorageClient(storage_config.secrets)
+        s3_storage_client = S3StorageClient(
+            storage_config.details.get("auth_method"), storage_config.secrets
+        )
         result_url = s3_storage_client.generate_presigned_url(
             bucket=bucket_name,
             key=file_name,

fides/api/api/v1/endpoints/oauth_endpoints.py

@@ -37,7 +37,7 @@ from fides.api.service.authentication.authentication_strategy_oauth2_authorizati
 )
 from fides.api.util.api_router import APIRouter
 from fides.api.util.connection_util import connection_status
-from fides.api.util.endpoint_utils import fides_limiter
+from fides.api.util.rate_limit import fides_limiter
 from fides.common.api.scope_registry import (
     CLIENT_CREATE,
     CLIENT_DELETE,

fides/api/api/v1/endpoints/privacy_request_endpoints.py

@@ -1667,17 +1667,15 @@ def privacy_request_data_transfer(
             detail=f"Rule key {rule_key} not found",
         )
 
-    value_dict: Dict[str, Optional[List[Row]]] = cache.get_encoded_objects_by_prefix(
-        f"{privacy_request_id}__access_request"
+    access_result: Dict[str, Optional[List[Row]]] = (
+        privacy_request.get_raw_access_results()
     )
 
-    if not value_dict:
+    if not access_result:
         raise HTTPException(
             status_code=HTTP_404_NOT_FOUND,
             detail=f"No access request information found for privacy request id {privacy_request_id}",
         )
-
-    access_result = {k.split("__")[-1]: v for k, v in value_dict.items()}
     datasets = DatasetConfig.all(db=db)
     if not datasets:
         raise HTTPException(

fides/api/api/v1/endpoints/user_endpoints.py

@@ -59,7 +59,7 @@ from fides.api.schemas.user import (
 )
 from fides.api.service.deps import get_user_service
 from fides.api.util.api_router import APIRouter
-from fides.api.util.endpoint_utils import fides_limiter
+from fides.api.util.rate_limit import fides_limiter
 from fides.common.api.scope_registry import (
     SCOPE_REGISTRY,
     SYSTEM_MANAGER_DELETE,
@@ -208,17 +208,6 @@ def update_user_password(
 
     current_user.update_password(db=db, new_password=data.new_password)
 
-    # Delete the user's associated OAuth client to invalidate all existing sessions
-    if current_user.client:
-        try:
-            current_user.client.delete(db)
-        except Exception as exc:
-            logger.exception(
-                "Unable to delete user client during password reset for user {}: {}",
-                current_user.id,
-                exc,
-            )
-
     logger.info("Updated user with id: '{}'.", current_user.id)
     return current_user
 
@@ -247,18 +236,6 @@ def force_update_password(
         )
 
     user.update_password(db=db, new_password=data.new_password)
-
-    # Delete the user's associated OAuth client to invalidate all existing sessions
-    if user.client:
-        try:
-            user.client.delete(db)
-        except Exception as exc:
-            logger.exception(
-                "Unable to delete user client during admin-forced password reset for user {}: {}",
-                user.id,
-                exc,
-            )
-
     logger.info("Updated user with id: '{}'.", user.id)
     return user
 

fides/api/app_setup.py

@@ -48,9 +48,13 @@ from fides.api.service.saas_request.override_implementations import *
 from fides.api.util.api_router import APIRouter
 from fides.api.util.cache import get_cache
 from fides.api.util.consent_util import create_default_tcf_purpose_overrides_on_startup
-from fides.api.util.endpoint_utils import fides_limiter
 from fides.api.util.errors import FidesError
 from fides.api.util.logger import setup as setup_logging
+from fides.api.util.rate_limit import (
+    RateLimitIPValidationMiddleware,
+    fides_limiter,
+    is_rate_limit_enabled,
+)
 from fides.config import CONFIG
 from fides.config.config_proxy import ConfigProxy
 
@@ -88,7 +92,17 @@ def create_fides_app(
     for handler in ExceptionHandlers.get_handlers():
         # Starlette bug causing this to fail mypy
         fastapi_app.add_exception_handler(RedisNotConfigured, handler)  # type: ignore
-    fastapi_app.add_middleware(SlowAPIMiddleware)
+
+    if is_rate_limit_enabled:
+        # Validate header before SlowAPI processes the request
+        fastapi_app.add_middleware(RateLimitIPValidationMiddleware)
+        # Required for default rate limiting to work
+        fastapi_app.add_middleware(SlowAPIMiddleware)
+    else:
+        logger.warning(
+            "Rate limiting client IPs is disabled because the FIDES__SECURITY__RATE_LIMIT_CLIENT_IP_HEADER env var is not configured."
+        )
+
     fastapi_app.add_middleware(
         GZipMiddleware, minimum_size=1000, compresslevel=5
     )  # minimum_size is in bytes

fides/api/main.py

@@ -18,6 +18,8 @@ from fastapi.responses import FileResponse, HTMLResponse, JSONResponse
 from fideslog.sdk.python.event import AnalyticsEvent
 from loguru import logger
 from pyinstrument import Profiler
+from slowapi import _rate_limit_exceeded_handler
+from slowapi.errors import RateLimitExceeded
 from starlette.background import BackgroundTask
 from starlette.status import HTTP_422_UNPROCESSABLE_ENTITY
 from uvicorn import Config, Server
@@ -60,6 +62,7 @@ from fides.api.ui import (
 )
 from fides.api.util.endpoint_utils import API_PREFIX
 from fides.api.util.logger import _log_exception
+from fides.api.util.rate_limit import safe_rate_limit_key
 from fides.cli.utils import FIDES_ASCII_ART
 from fides.config import CONFIG, check_required_webserver_config_values
 
@@ -388,3 +391,22 @@ async def request_validation_exception_handler(
             "detail": jsonable_encoder(exc.errors(), exclude={"input", "url", "ctx"})
         },
     )
+
+
+@app.exception_handler(RateLimitExceeded)
+async def rate_limit_handler(request: Request, exc: RateLimitExceeded) -> Response:
+    """Log rate limit violations and delegate to default handler."""
+    client_ip = safe_rate_limit_key(
+        request
+    )  # non exception-raising, falls back to source IP
+
+    # Log the rate limit event
+    logger.warning(
+        "Rate limit exceeded - IP: %s, Path: %s, Method: %s",
+        client_ip,
+        request.url.path,
+        request.method,
+    )
+
+    # Use the default handler to generate the proper response
+    return _rate_limit_exceeded_handler(request, exc)

fides/api/models/client.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 
 import json
 from datetime import datetime
-from typing import TYPE_CHECKING, Any, Optional
+from typing import Any, Optional
 
 from sqlalchemy import ARRAY, Column, ForeignKey, String
 from sqlalchemy.ext.declarative import declared_attr
@@ -22,12 +22,10 @@ from fides.api.cryptography.schemas.jwt import (
     JWE_PAYLOAD_SYSTEMS,
 )
 from fides.api.db.base_class import Base
+from fides.api.models.fides_user import FidesUser
 from fides.api.oauth.jwt import generate_jwe
 from fides.config import FidesConfig
 
-if TYPE_CHECKING:
-    from fides.api.models.fides_user import FidesUser
-
 DEFAULT_SCOPES: list[str] = []
 DEFAULT_ROLES: list[str] = []
 DEFAULT_SYSTEMS: list[str] = []
@@ -50,11 +48,9 @@ class ClientDetail(Base):
         ARRAY(String), nullable=False, server_default="{}", default=dict
     )
     fides_key = Column(String, index=True, unique=True, nullable=True)
-    user_id = Column(String, ForeignKey("fidesuser.id"), nullable=True, unique=True)
-
-    if TYPE_CHECKING:
-        # Explicitly annotate the backref relationship for mypy
-        user: Optional["FidesUser"]
+    user_id = Column(
+        String, ForeignKey(FidesUser.id_field_path), nullable=True, unique=True
+    )
 
     @classmethod
     def create_client_and_secret(

fides/api/models/fides_user.py

@@ -22,7 +22,7 @@ from fides.api.cryptography.cryptographic_util import (
 from fides.api.db.base_class import Base
 from fides.api.models.audit_log import AuditLog
 
-# SystemManager import is handled in base.py to avoid circular imports
+# Intentionally importing SystemManager here to build the FidesUser.systems relationship
 from fides.api.schemas.user import DisabledReason
 from fides.config import CONFIG
 
@@ -32,6 +32,7 @@ if TYPE_CHECKING:
         FidesUserRespondentEmailVerification,
     )
     from fides.api.models.sql_models import System  # type: ignore[attr-defined]
+    from fides.api.models.system_manager import SystemManager
 
 
 class FidesUser(Base):

fides/api/oauth/utils.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 import json
-from datetime import datetime, timedelta
+from datetime import datetime
 from functools import update_wrapper
 from types import FunctionType
 from typing import Any, Callable, Dict, List, Optional, Tuple
@@ -67,14 +67,17 @@ def is_token_expired(
     """Check if a token has expired based on its issued_at timestamp and duration."""
     if issued_at is None:
         return True
-    expiration_time = issued_at + timedelta(minutes=token_duration_minutes)
-    return datetime.now() > expiration_time
+    return (datetime.now() - issued_at).total_seconds() / 60.0 > token_duration_minutes
 
 
-def is_callback_token_expired(issued_at: datetime) -> bool:
+def is_callback_token_expired(issued_at: Optional[datetime]) -> bool:
     """Check if a callback token has expired (24 hours)."""
-    expiration_time = issued_at + timedelta(hours=24)
-    return datetime.now() > expiration_time
+    if not issued_at:
+        return True
+
+    return (
+        datetime.now() - issued_at
+    ).total_seconds() / 60.0 > CONFIG.execution.privacy_request_delay_timeout
 
 
 def _get_webhook_jwe_or_error(
@@ -222,9 +225,7 @@ async def get_current_user(
             created_at=datetime.utcnow(),
         )
 
-    if client.user is None:
-        raise AuthorizationError(detail="Client has no associated user")
-    return client.user
+    return client.user  # type: ignore[attr-defined]
 
 
 def verify_callback_oauth_policy_pre_webhook(
@@ -369,10 +370,8 @@ def extract_token_and_load_client(
         logger.debug("Auth token expired.")
         raise AuthorizationError(detail="Not Authorized for this action")
 
-    issued_at_dt = datetime.fromisoformat(issued_at)
-
     if is_token_expired(
-        issued_at_dt,
+        datetime.fromisoformat(issued_at),
         token_duration_override or CONFIG.security.oauth_access_token_expire_minutes,
     ):
         raise AuthorizationError(detail="Not Authorized for this action")
@@ -395,21 +394,6 @@ def extract_token_and_load_client(
         logger.debug("Auth token belongs to an invalid client_id.")
         raise AuthorizationError(detail="Not Authorized for this action")
 
-    # Invalidate tokens issued prior to the user's most recent password reset.
-    # This ensures any existing sessions are expired immediately after a password change.
-    try:
-        if client.user is not None and client.user.password_reset_at is not None:
-            password_reset_at = client.user.password_reset_at
-            if password_reset_at and issued_at_dt < password_reset_at:
-                logger.debug("Auth token issued before latest password reset.")
-                raise AuthorizationError(detail="Not Authorized for this action")
-    except (
-        Exception
-    ) as exc:  # pragma: no cover - defensive: never block auth on relationship issues
-        logger.exception(
-            "Unable to evaluate password reset timestamp for client user: {}", exc
-        )
-
     # Populate request-scoped context with the authenticated user identifier.
     # Prefer the linked user_id; fall back to the client id when this is the
     # special root client (which has no associated FidesUser row).

fides/api/service/privacy_request/request_service.py

@@ -340,7 +340,7 @@ def remove_saved_dsr_data(self: DatabaseTask) -> None:
 def initiate_interrupted_task_requeue_poll() -> None:
     """Initiates scheduler to check for and requeue interrupted tasks"""
 
-    if CONFIG.test_mode or not CONFIG.execution.use_dsr_3_0:
+    if CONFIG.test_mode:
         return
 
     assert (
@@ -540,6 +540,7 @@ def _get_request_task_ids_in_progress(
 
 
 # pylint: disable=too-many-branches
+# pylint: disable=too-many-statements
 @celery_app.task(base=DatabaseTask, bind=True)
 def requeue_interrupted_tasks(self: DatabaseTask) -> None:
     """
@@ -660,8 +661,24 @@ def requeue_interrupted_tasks(self: DatabaseTask) -> None:
                             break
 
                         # If the task ID is not cached, we can't check if it's running
-                        # This means the subtask is stuck - cancel the entire privacy request
+                        # This means the subtask is stuck - but we need to handle this differently
+                        # based on the privacy request status
                         if not subtask_id:
+                            if (
+                                privacy_request.status
+                                == PrivacyRequestStatus.requires_input
+                            ):
+                                # For requires_input status, don't automatically error the request
+                                # as it's intentionally waiting for user input
+                                logger.warning(
+                                    f"No task ID found for request task {request_task_id} "
+                                    f"(privacy request {privacy_request.id}) in requires_input status - "
+                                    f"keeping request in current status as it may be waiting for manual input"
+                                )
+                                should_requeue = False
+                                break
+
+                            # For other statuses, cancel the entire privacy request
                             _cancel_interrupted_tasks_and_error_privacy_request(
                                 db,
                                 privacy_request,

fides/api/service/storage/storage_uploader_service.py

@@ -51,13 +51,7 @@ def upload(
         config.secrets is not None,
     )
 
-    if config.secrets:
-        logger.debug("Storage config secrets type: {}", type(config.secrets))
-        if isinstance(config.secrets, dict):
-            logger.debug("Storage config secrets keys: {}", list(config.secrets.keys()))
-        else:
-            logger.debug("Storage config secrets is not a dict: {}", config.secrets)
-    else:
+    if not config.secrets:
         logger.warning("Storage config has no secrets!")
 
     uploader: Any = _get_uploader_from_config_type(config.type)  # type: ignore
@@ -130,19 +124,6 @@ def _s3_uploader(
         config.secrets is not None,
     )
 
-    if config.secrets:
-        logger.debug(
-            "Config secrets keys: {}",
-            (
-                list(config.secrets.keys())
-                if isinstance(config.secrets, dict)
-                else "Not a dict"
-            ),
-        )
-        logger.debug("Config secrets type: {}", type(config.secrets))
-    else:
-        logger.warning("Config secrets is None or empty!")
-
     enable_streaming = config.details.get(StorageDetails.ENABLE_STREAMING.value, False)
     file_key: str = _construct_file_key(privacy_request.id, config, enable_streaming)
 
@@ -154,7 +135,6 @@ def _s3_uploader(
         file_key = f"{privacy_request.id}.zip"
         # Use streaming upload for better memory efficiency
         logger.debug("Using streaming S3 upload for {}", file_key)
-        logger.debug("Calling upload_to_s3_streaming with secrets: {}", config.secrets)
         return upload_to_s3_streaming(
             config.secrets,  # type: ignore
             data,

fides/api/service/storage/streaming/dsr_storage.py

@@ -17,7 +17,6 @@ def stream_dsr_buffer_to_storage(
     bucket_name: str,
     file_key: str,
     dsr_buffer: BytesIO,
-    content_type: str = "application/zip",
 ) -> None:
     """Stream DSR buffer to storage using smart-open streaming.
 
@@ -29,15 +28,12 @@ def stream_dsr_buffer_to_storage(
         bucket_name: Storage bucket name
         file_key: File key in storage
         dsr_buffer: Pre-generated DSR report buffer (BytesIO)
-        content_type: MIME type for the uploaded file (defaults to application/zip)
     """
     # Get the content from the buffer
     content = dsr_buffer.getvalue()
     try:
         # Use smart-open's streaming upload for efficient memory usage
-        with storage_client.stream_upload(
-            bucket_name, file_key, content_type=content_type
-        ) as upload_stream:
+        with storage_client.stream_upload(bucket_name, file_key) as upload_stream:
             upload_stream.write(content)
 
     except Exception as e:

fides/api/service/storage/streaming/s3/s3_storage_client.py

@@ -7,7 +7,7 @@ from typing import Any, Optional
 from fideslang.validation import AnyHttpUrlString
 from loguru import logger
 
-from fides.api.schemas.storage.storage import AWSAuthMethod, StorageSecrets
+from fides.api.schemas.storage.storage import AWSAuthMethod
 from fides.api.service.storage.s3 import create_presigned_url_for_s3
 from fides.api.service.storage.streaming.base_storage_client import BaseStorageClient
 from fides.api.util.aws_util import get_s3_client
@@ -20,17 +20,19 @@ class S3StorageClient(BaseStorageClient):
     generation for the smart-open storage client.
     """
 
-    def __init__(self, storage_secrets: dict[StorageSecrets, Any]):
+    def __init__(self, auth_method: str, storage_secrets: dict[str, Any]):
         """Initialize the storage client with secrets.
 
         Args:
-            storage_secrets: Provider-specific storage credentials and configuration using StorageSecrets enum keys
+            storage_secrets: Provider-specific storage credentials and configuration using string keys
+                           (e.g., "aws_access_key_id", "region_name") from format_secrets()
         """
         super().__init__(storage_secrets)
-        self.storage_secrets: dict[StorageSecrets, Any] = storage_secrets
+        self.storage_secrets: dict[str, Any] = storage_secrets
+        self.auth_method = auth_method
 
     def build_uri(self, bucket: str, key: str) -> str:
-        """Build the S3 URI for the storage location.
+        """Build S3 URI for the given bucket and key.
 
         Args:
             bucket: S3 bucket name
@@ -45,26 +47,75 @@ class S3StorageClient(BaseStorageClient):
 
     def get_transport_params(self) -> dict[str, Any]:
         """Get S3-specific transport parameters for smart-open.
+        Type annotation: get_s3_client returns a boto3 S3 client object, not a Session
+        This is what smart-open expects for the "client" transport parameter
 
         Returns:
             Dictionary of S3 transport parameters for smart-open
         """
-        params = {}
-
-        if StorageSecrets.AWS_ACCESS_KEY_ID in self.storage_secrets:
-            params["access_key"] = self.storage_secrets[
-                StorageSecrets.AWS_ACCESS_KEY_ID
-            ]
-        if StorageSecrets.AWS_SECRET_ACCESS_KEY in self.storage_secrets:
-            params["secret_key"] = self.storage_secrets[
-                StorageSecrets.AWS_SECRET_ACCESS_KEY
-            ]
-        if StorageSecrets.REGION_NAME in self.storage_secrets:
-            params["region"] = self.storage_secrets[StorageSecrets.REGION_NAME]
-        if StorageSecrets.AWS_ASSUME_ROLE in self.storage_secrets:
-            params["assume_role_arn"] = self.storage_secrets[
-                StorageSecrets.AWS_ASSUME_ROLE
-            ]
+        params: dict[str, Any] = {}
+
+        # Create S3 client for smart-open
+        try:
+            # Determine auth method based on available credentials
+            if self.auth_method == AWSAuthMethod.AUTOMATIC.value:
+
+                # For automatic authentication, check if region is available
+                if not self.storage_secrets.get("region_name", None):
+                    logger.warning(
+                        "No region specified in storage secrets for automatic authentication"
+                        "This may cause credential issues - consider setting a default region"
+                    )
+
+            # Extract assume_role_arn if present
+            assume_role_arn = None
+            if (
+                "assume_role_arn" in self.storage_secrets
+                and self.storage_secrets["assume_role_arn"]
+            ):
+                assume_role_arn = self.storage_secrets["assume_role_arn"]
+                logger.debug(f"Using assume role ARN: {assume_role_arn}")
+
+            # Create S3 client using existing utility
+            # get_s3_client returns a boto3 S3 client, not a Session
+            s3_client: Any = None
+            try:
+                s3_client = get_s3_client(
+                    self.auth_method, self.storage_secrets, assume_role_arn  # type: ignore
+                )
+                logger.debug("Successfully created S3 client")
+            except Exception as e:
+                # For automatic authentication, try to provide more helpful error messages
+                if self.auth_method == AWSAuthMethod.AUTOMATIC.value:
+                    logger.error(
+                        f"Failed to create S3 client with automatic authentication: {e}. "
+                        "This usually means AWS credentials are not available in the environment"
+                        "Please ensure AWS credentials are configured via environment variables, IAM roles, or AWS profiles"
+                    )
+                    raise ValueError(
+                        f"Automatic AWS authentication failed: {e}. Please check your AWS credential configuration."
+                    )
+                raise
+
+            params["client"] = s3_client
+
+        except Exception as e:
+            logger.error(f"Failed to create S3 client for smart-open: {e}")
+            raise
+
+        # Include credentials at top level for compatibility
+        # Note: When using an S3 client, these credential parameters are not needed
+        # and will be ignored by smart-open, causing warnings
+        # Only include them if no S3 client is provided (fallback scenario)
+        if not params.get("client"):
+            for key, transport_key in [
+                ("aws_access_key_id", "access_key"),
+                ("aws_secret_access_key", "secret_key"),
+                ("region_name", "region"),
+                ("assume_role_arn", "assume_role_arn"),
+            ]:
+                if key in self.storage_secrets and self.storage_secrets[key]:
+                    params[transport_key] = self.storage_secrets[key]
 
         return params
 
@@ -85,28 +136,15 @@ class S3StorageClient(BaseStorageClient):
             Exception: If presigned URL generation fails
         """
         try:
-            # Storage secrets are already in the right format for get_s3_client
-            # get_s3_client expects dict[StorageSecrets, Any] with enum keys
-            s3_secrets = self.storage_secrets
-
-            # Determine auth method based on available credentials
-            # If AWS credentials are present, use SECRET_KEYS, otherwise use AUTOMATIC
-            if (
-                StorageSecrets.AWS_ACCESS_KEY_ID in self.storage_secrets
-                and StorageSecrets.AWS_SECRET_ACCESS_KEY in self.storage_secrets
-                and self.storage_secrets[StorageSecrets.AWS_ACCESS_KEY_ID]
-                and self.storage_secrets[StorageSecrets.AWS_SECRET_ACCESS_KEY]
-            ):
-                auth_method = AWSAuthMethod.SECRET_KEYS.value
-            else:
-                auth_method = AWSAuthMethod.AUTOMATIC.value
-
             # Extract assume_role_arn if present for role assumption
             assume_role_arn = None
-            if StorageSecrets.AWS_ASSUME_ROLE in self.storage_secrets:
-                assume_role_arn = self.storage_secrets[StorageSecrets.AWS_ASSUME_ROLE]
+            if "assume_role_arn" in self.storage_secrets:
+                assume_role_arn = self.storage_secrets["assume_role_arn"]
 
-            s3_client = get_s3_client(auth_method, s3_secrets, assume_role_arn)
+            # get_s3_client returns a boto3 S3 client, not a Session
+            s3_client: Any = get_s3_client(
+                self.auth_method, self.storage_secrets, assume_role_arn  # type: ignore
+            )
             return create_presigned_url_for_s3(s3_client, bucket, key, ttl_seconds)
         except Exception as e:
             logger.error(f"Failed to generate S3 presigned URL: {e}")