Rails 7 adds support for ActiveStorage expiring URLs


The introduction of ActiveStorage in Rails 5.2 changed the way we upload or serve the attachments in a Rails application.

ActiveStorage has made it easier to integrate and use various cloud storage services.

While working with attachments, we often come across situations where we need to expire the URLs after a specific amount of time.

Before, this specific change, we had to use the service url (referred as service_url before) to set the expiration time.

But, with the introduction of this change in ActiveStorage, it can be set with the redirection URL itself without using or exposing the actual service URL.

Before

Let’s say, we have a User model which has one registration attached to it.

class User < ApplicationRecord
  has_one_attached :registration
end

When we create a blob URL, it can be accessed unlimited times by anyone with the actual URL and, the URL never expires. This is a setback as it skips all the authentications and authorizations and can be dangerous with sensitive documents.

# Permanent signed URL
url_for(user.registration)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

# Service URL with default expiration
user.registration.url
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=360

# Service URL with explicit expiration
user.registration.url(expires_in: 5.seconds)
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=5

# Doesn't expires
rails_blob_path(user.registration)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

Before rails 6

# config/initializers/active_storage.rb
ActiveStorage::Service.url_expires_in = 30.minutes

After rails 6

# application.rb
module Blog
  class Application < Rails::Application
    config.active_storage.service_urls_expire_in = 10.minutes # Defaut: 5.minutes
  end
end

After

With this latest addition in Rails 7, the URLs will expire at the given expiration time.

# Permanent signed URL
url_for(user.registration)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

# Service URL with default expiration
user.registration.url
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=360

# Service URL with explicit expiration
user.registration.url(expires_in: 5.seconds)
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=5

# Signed URL with expiration
rails_blob_path(user.registration, disposition: "attachment", expires_in: 5.seconds)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

If you want to set a default expiration time for ActiveStorage URLs throughout your application, set

# config/application.rb
module Blog
  class Application < Rails::Application
    config.active_storage.urls_expire_in = 30.minutes
  end
end

OR in environment-specific configuration files development.rb, production.rb.

# config/environments/production.rb
Rails.application.configure do
  config.active_storage.urls_expire_in = 10.minutes # Default: nil
end