pub async fn object_presign(
profile_id: ProfileId,
bucket: BucketId,
key: String,
expires_sec: Option<u64>,
store: State<'_, ProfileStoreHandle>,
pool: State<'_, S3ClientPoolHandle>,
) -> Result<PresignedUrl, AppError>Expand description
Generate a presigned GetObject URL for bucket/key.
The URL embeds the credentials in the query string (SigV4) and is valid
for expires_sec seconds. When expires_sec is omitted the default is
3 600 s (1 hour).
§Validation
Returns AppError::Validation { field: "expires_secs", … } when the
supplied expiry is outside [60, 604_800] (60 s – 7 days).
§Security
The URL is generated in Rust — AWS credentials never cross the IPC
boundary. The frontend receives an opaque PresignedUrl struct and
writes the URL to the clipboard. The URL itself carries no ongoing auth
state; once generated it may be shared freely within its expiry window.