[feature]: Configurable S3 Signed URL Expiration

[gustoliveira]

Problem Statement

Currently, the S3 signed URL expiration time is hardcoded to 3600 seconds (1 hour) in the S3Storage class. This creates security and operational challenges for different deployment scenarios where administrators need more granular control over asset access duration.

✅ IMPLEMENTED - This feature has been completed and is available in #8136

Proposed Solution

Add a SIGNED_URL_EXPIRATION environment variable that allows administrators to configure the signed URL expiration time without modifying code.

Technical Implementation

Configuration:

# .env or environment variables
SIGNED_URL_EXPIRATION=30  # 30 seconds for high-security deployments
# SIGNED_URL_EXPIRATION=300  # 5 minutes for balanced security
# SIGNED_URL_EXPIRATION=3600  # 1 hour (default) for convenience

Behavior:

• Default value: 3600 seconds (1 hour) - maintains backward compatibility
• Applies to both generate_presigned_post() and generate_presigned_url() methods
• Can be overridden per-request using explicit expiration parameter
• Value is read at S3Storage initialization

Benefits

1. Security: Reduces the attack window for intercepted or leaked URLs
2. Flexibility: Accommodates different security postures without code changes
3. Compliance: Helps meet regulatory requirements for time-based access controls
4. Backward Compatible: Existing deployments continue working with 1-hour default
5. Operationally Simple: Single environment variable, no complex configuration
6. Override Capability: Application code can still specify custom expiration per-request

Migration Path

No migration would be required - this is a backward-compatible enhancement:

1. Existing deployments without SIGNED_URL_EXPIRATION continue using 1-hour default
2. New deployments can set the variable during initial configuration
3. Existing deployments can add the variable at any time without disruption