Feat: Proxy image content through the API instead of redirecting to MinIO

Replace the presigned-URL redirect (302) in GET /api/v1/images/{id}/file with a direct proxy that fetches bytes from S3 server-side and returns them to the client. The browser never contacts the storage backend, eliminating the /etc/hosts workaround needed in local development. - StorageBackend: swap get_presigned_url for get(key) -> bytes - S3StorageBackend: implement get() via aiobotocore get_object - serve_image_file: return Response with ETag + Cache-Control: immutable - test_serving: assert 200 + content-type + ETag; add no-storage-details test - Spec Kit artifacts for feature 002-api-image-proxy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-03 16:36:43 +00:00
parent 1cee6adc68
commit cd89ba5dea
13 changed files with 688 additions and 25 deletions
--- a/api/app/routers/images.py
+++ b/api/app/routers/images.py
@@ -1,11 +1,8 @@
-import io
 import struct
 import uuid
-import zlib
-from typing import Annotated, Any
+from typing import Any

 from fastapi import APIRouter, Depends, File, Form, HTTPException, Response, UploadFile
-from fastapi.responses import RedirectResponse
 from sqlalchemy.ext.asyncio import AsyncSession

 from app.auth.provider import AuthProvider
@@ -219,8 +216,21 @@ async def serve_image_file(
            status_code=404,
            detail={"detail": "Image not found", "code": "image_not_found"},
        )
-    url = await storage.get_presigned_url(image.storage_key, expires_in_seconds=3600)
-    return RedirectResponse(url=url, status_code=302)
+    try:
+        data = await storage.get(image.storage_key)
+    except Exception:
+        raise HTTPException(
+            status_code=500,
+            detail={"detail": "Failed to retrieve image content", "code": "storage_error"},
+        ) from None
+    return Response(
+        content=data,
+        media_type=image.mime_type,
+        headers={
+            "ETag": f'"{image.hash}"',
+            "Cache-Control": "public, max-age=31536000, immutable",
+        },
+    )


@router.patch("/images/{image_id}/tags")
--- a/api/app/storage/backend.py
+++ b/api/app/storage/backend.py
@@ -7,8 +7,8 @@ class StorageBackend(ABC):
        """Store object at key with given content type."""

    @abstractmethod
-    async def get_presigned_url(self, key: str, expires_in_seconds: int = 3600) -> str:
-        """Return a pre-signed URL valid for expires_in_seconds."""
+    async def get(self, key: str) -> bytes:
+        """Return object content as bytes."""

    @abstractmethod
    async def delete(self, key: str) -> None:
--- a/api/app/storage/s3_backend.py
+++ b/api/app/storage/s3_backend.py
@@ -32,14 +32,10 @@ class S3StorageBackend(StorageBackend):
                ContentType=content_type,
            )

-    async def get_presigned_url(self, key: str, expires_in_seconds: int = 3600) -> str:
+    async def get(self, key: str) -> bytes:
        async with self._client() as client:
-            url = await client.generate_presigned_url(
-                "get_object",
-                Params={"Bucket": self._settings.s3_bucket_name, "Key": key},
-                ExpiresIn=expires_in_seconds,
-            )
-        return url
+            response = await client.get_object(Bucket=self._settings.s3_bucket_name, Key=key)
+            return await response["Body"].read()

    async def delete(self, key: str) -> None:
        async with self._client() as client: