Attached.Web.Signer (Attached v0.1.0)

Copy Markdown View Source

Signs and verifies storage keys for secure URL generation.

A signed token encodes the storage key and an expiry timestamp, protected by an HMAC-SHA256 computed over the configured secret_key_base. The Plug verifies the token before serving any file.

Configuration

config :attached,
  secret_key_base: "your-64-byte-secret",
  url_expires_in: 300   # seconds, default 5 minutes

When secret_key_base is not configured, sign/1 returns the raw key and verify/1 accepts any value — suitable for development and tests.

Token format

Base64url(key|expiry).Base64url(hmac)

where hmac = HMAC-SHA256(secret, "key|expiry").

Summary

Functions

sign(key, opts \\ [])

Signs key and returns a URL-safe token.

verify(token)

Verifies a signed token and returns {:ok, key} or {:error, reason}.

Functions

sign(key, opts \\ [])

Signs key and returns a URL-safe token.

Accepts an optional :expires_in override (seconds). Falls back to the configured url_expires_in, or 300 seconds if neither is set.

When no secret_key_base is configured the raw key is returned unchanged.

verify(token)

Verifies a signed token and returns {:ok, key} or {:error, reason}.

When no secret_key_base is configured the token is decoded from Base64url and returned without signature verification.