File security with file adapters and direct access

I’m using Google cloud storage with direct access and parse-server-gcs-adapter and am trying to figure out the easiest way to not use public read permissions on all files. Proxying everything through the server is not a good solution for us since direct access is a necessity due to various benefits of GCS, and drawbacks of proxying.

However, with direct access and the gcs file adapter everything has to be public and the files in the bucket directly accessible, which is a problem for us.

We don’t need ACL or fine-grained control so I’m leaning towards implementing signed URLs directly in the file adapter since that should be a simple solution with adequate security for our use case.

Before I start implementing a solution I just wanted to check if there’s anything we missed that supports our use case already? If not, I’ll go ahead and extend the file adapter and try to do a pull request so others can benefit as well.

Maybe you can get some inspiration from the presigned URL feature in the S3 adapter. The PR is done it seems (except for a missing test case I think), maybe take a look at the discussion and review comments which covered some important security aspects.