Agile Coder Logo
AgileCoder
Blog
Beginner

Upload Files to AWS S3: Implement in Node.js + Express Server

Learn how to use AWS S3 pre-signed URLs to securely share files from a Node.js app. Pre-signed URLs enable temporary, controlled access to files in your S3 bucket without exposing them publicly. Perfect for secure file sharing, this guide walks through setup, code, and best practices.

Smruti Ranjan
January 20, 2024
6 min read
#NodeJS#Pre-Signed URL#AWS S3
Upload Files to AWS S3: Implement in Node.js + Express Server
Advertisement

AWS S3 (Simple Storage Service) is a popular choice for securely storing files in the cloud. However, in many scenarios, you might want to grant temporary access to files in your S3 bucket without exposing them publicly. For this, AWS offers a powerful feature called pre-signed URLs. In this guide, we’ll learn how to use pre-signed URLs to securely share files stored in S3 using Node.js.

If you're new to uploading files to S3, you might want to start with my previous tech blog post on setting up file uploads to S3 using Node.js and Express. This post will build on that foundation, adding secure, temporary access to those files via pre-signed URLs.

What Are AWS S3 Pre-Signed URLs?

A pre-signed URL is a temporary, unique URL that grants time-limited access to a specific file in an S3 bucket. Pre-signed URLs are ideal for cases where you need to share a file temporarily or restrict access without exposing the entire bucket to the public.

Pre-signed URLs are generated by the server and can be set to expire within a specified time, such as 60 seconds, 10 minutes, or several hours. The URL allows authorized access to the object for anyone with the link until it expires.

Prerequisites

To follow along, make sure you have:

  • Node.js and npm installed.
  • An AWS S3 bucket and AWS credentials set up with the necessary permissions.
  • Basic knowledge of Express and file uploads with AWS S3.

Step 1: Set Up the S3 Client

To work with S3, we’ll use AWS SDK’s S3Client and set up our connection parameters. Create a s3Client.js file to initialize the S3 client:

typescript
dotenv.config();

export const s3 = new S3Client({
  region: process.env.AWS_REGION,
  credentials: {
    accessKeyId: process.env.AWS_ACCESS_KEY_ID,
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
  },
});
↕ click to expand

Step 2: Set Up File Upload Handling with Multer

In order to upload and manage files in memory, we use multer, a Node.js middleware. Here’s a quick setup for using multer with memory storage:

typescript
const storage = multer.memoryStorage();
export const upload = multer({ storage });
↕ click to expand

Now, files will be stored in memory, allowing us to upload them directly to S3 or generate pre-signed URLs without saving them on the server.

Step 3: Generate a Pre-Signed URL for Secure File Access

Our main focus is generating a pre-signed URL to allow secure, temporary access to a file stored in S3. Let’s create a controller function that generates a pre-signed URL for an uploaded file.

Here’s how the getPresignedAttachmentUrl function works:

  • We fetch the attachment details from our database based on attachmentId provided in the request.
  • We verify if the requesting user has access to the file.
  • We extract the file key from the S3 URL and use the getSignedUrl function to generate a secure, time-limited URL.
typescript
export const getPresignedAttachmentUrl = async (req, res) => {
  const { attachmentId } = req.params;
  const userId = req.user.userId;

  try {
    const attachment = await AttachmentModel.findById(attachmentId);
    if (!attachment) {
      return res.status(404).json({ message: "Attachment not found" });
    }

    // Check if user has access to the attachment
    const note = await NoteModel.findOne({ user: userId, attachments: attachmentId });
    const sharingRecord = await SharingModel.findOne({ sharedWithIds: userId });

    if (!note && !sharingRecord) {
      return res.status(403).json({ message: "Access denied" });
    }

    // Extract file key from S3 URL
    const fileKey = attachment.s3Url.split(".com/")[1];

    // Generate pre-signed URL
    const command = new GetObjectCommand({
      Bucket: process.env.AWS_BUCKET_NAME,
      Key: fileKey,
    });

    const signedUrl = await getSignedUrl(s3, command, { expiresIn: 60 });

    res.status(200).json({ fileUrl: signedUrl });
  } catch (error) {
    console.error("Error generating pre-signed URL:", error);
    res.status(500).json({ message: "Error generating pre-signed URL", error });
  }
};
↕ click to expand

Explanation of the Code

  • Attachment Verification: We first check if the file exists in our database. If not, a 404 Not Found error is returned.
  • Access Control: We verify if the requesting user is allowed access to the file by checking permissions in NoteModel and SharingModel.
  • Generating the Pre-Signed URL: We create a GetObjectCommand using the S3 bucket name and file key. Using getSignedUrl, we create a pre-signed URL with a 60-second expiration.
  • Sending the Pre-Signed URL: If the URL is successfully generated, it is returned in the response, allowing the user to download the file securely for the next 60 seconds.

Step 4: Setting Up the Express Route

Next, let’s set up an Express route to handle requests for pre-signed URLs. In your main server file (index.js), create the route, and link it to the getPresignedAttachmentUrl controller.

typescript
const app = express();
const PORT = process.env.PORT || 3000;

// Route to get a pre-signed URL for file access
app.get("/attachments/:attachmentId/url", getPresignedAttachmentUrl);

app.listen(PORT, () => {
  console.log(Server running on port ${PORT});
});
↕ click to expand

Testing the Pre-Signed URL Endpoint

To test this endpoint:

  • Start the server: node index.js.
  • Send a GET request to http://localhost:3000/attachments/{attachmentId}/url with a valid attachmentId.
  • You should receive a JSON response containing a fileUrl, which is the pre-signed URL for accessing the file.
  • If the URL is successfully generated, you’ll receive a response like this:
json
{
  "fileUrl": "https://your-bucket.s3.your-region.amazonaws.com/your-file-key?X-Amz-Expires=60&X-Amz-Signature=abc123..."
}
↕ click to expand

Clicking or navigating to this fileUrl in a browser will allow access to the file for 60 seconds.

Benefits of Using S3 Pre-Signed URLs

  • Security: Pre-signed URLs allow you to grant time-limited access to files without exposing the entire bucket.
  • Flexibility: You can control the expiration time and permissions, enabling you to create custom file-sharing options.
  • Reduced Bandwidth Costs: Since files are accessed directly from S3, you don’t need to proxy the file through your server.

Key Considerations for Pre-Signed URLs

  • Expiration Time: Choose an expiration time that balances security with user experience.
  • Access Control: Make sure only authorized users can generate pre-signed URLs.
  • Permissions: Pre-signed URLs can be generated for uploading, downloading, or other S3 operations, so set appropriate permissions based on your use case.---

Pre-signed URLs are a powerful feature for securely sharing files from AWS S3. By generating URLs that expire after a certain time, you can grant temporary access to your files while keeping your S3 bucket private. With both uploading and secure access in place, your application can handle file management efficiently and securely. That's it for this article! See ya 👋

Advertisement

Behind-the-build, in your inbox.

New tutorials, book updates, and behind-the-scenes notes from the studio. No schedule, no spam.

Related posts

Building a Developer Friendly Business: Why Should You Care?

Building a Developer Friendly Business: Why Should You Care?

Building SMS Verification in Node.js using Twilio

Building SMS Verification in Node.js using Twilio

Collect and Handle Request Details in a Node.js + Express Server

Collect and Handle Request Details in a Node.js + Express Server

Comments

Leave a comment

Comments are moderated before appearing.

All posts