feat(blossom): optional S3-compatible blob storage

zooid/api.go

@@ -358,6 +358,7 @@ func (api *APIHandler) validateConfig(config *Config) error {
 			return fmt.Errorf("invalid info.pubkey: %w", err)
 		}
 	}
+	normalizeBlossomConfig(config)
 	if err := validateBlossomFileStorage(config); err != nil {
 		return err
 	}
@@ -409,6 +410,7 @@ func (api *APIHandler) loadConfigFromPath(path string) (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	normalizeBlossomConfig(&config)
 	return &config, nil
 }
 

zooid/blossom.go

@@ -8,7 +8,6 @@ import (
 	"log"
 	"net/url"
 	"path/filepath"
-	"strings"
 
 	"fiatjaf.com/nostr"
 	"fiatjaf.com/nostr/eventstore"
@@ -26,29 +25,111 @@ type BlossomStore struct {
 	Events eventstore.Store
 }
 
-func newBlossomS3Client(ctx context.Context, cfg *Config) (*s3.Client, error) {
-	s := cfg.Blossom.S3
-	secret := strings.TrimSpace(cfg.blossomS3SecretKey)
-	if secret == "" {
-		return nil, fmt.Errorf("s3 secret key is not configured")
-	}
-
-	awsCfg, err := awsconfig.LoadDefaultConfig(ctx,
-		awsconfig.WithRegion(strings.TrimSpace(s.Region)),
-		awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(strings.TrimSpace(s.AccessKey), secret, "")),
+func loadAWSConfigForBlossomS3(ctx context.Context, s *BlossomS3Settings) (aws.Config, error) {
+	return awsconfig.LoadDefaultConfig(ctx,
+		awsconfig.WithRegion(s.Region),
+		awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(s.AccessKey, s.SecretKey, "")),
 	)
-	if err != nil {
-		return nil, err
+}
+
+func s3APIClientForBlossomSettings(awsCfg aws.Config, s *BlossomS3Settings) *s3.Client {
+	customEndpoint := s.Endpoint != ""
+	return s3.NewFromConfig(awsCfg, func(o *s3.Options) {
+		if customEndpoint {
+			o.BaseEndpoint = aws.String(s.Endpoint)
+			// Custom endpoints (e.g. MinIO) expect path-style addressing.
+			o.UsePathStyle = true
+		}
+	})
+}
+
+func blossomS3ObjectKey(slugName, sha256, keyPrefix string) string {
+	rel := slugName + "/" + sha256
+	if keyPrefix != "" {
+		return keyPrefix + "/" + rel
+	}
+	return rel
+}
+
+func attachBlossomLocalBlobs(bs *blossom.BlossomServer, slugName string) {
+	dir := filepath.Join(Env("MEDIA"), slugName)
+	osfs := afero.NewOsFs()
+	_ = osfs.MkdirAll(dir, 0755)
+
+	bs.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
+		file, err := osfs.Create(filepath.Join(dir, sha256))
+		if err != nil {
+			return err
+		}
+
+		if _, err := io.Copy(file, bytes.NewReader(body)); err != nil {
+			return err
+		}
+
+		return nil
 	}
 
-	endpoint := strings.TrimRight(strings.TrimSpace(s.Endpoint), "/")
-
-	return s3.NewFromConfig(awsCfg, func(o *s3.Options) {
-		if endpoint != "" {
-			o.BaseEndpoint = aws.String(endpoint)
+	bs.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
+		file, err := osfs.Open(filepath.Join(dir, sha256))
+		if err != nil {
+			return nil, nil, err
 		}
-		o.UsePathStyle = s.UsePathStyle
-	}), nil
+		return file, nil, nil
+	}
+
+	bs.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
+		return osfs.Remove(filepath.Join(dir, sha256))
+	}
+}
+
+func attachBlossomS3Blobs(bs *blossom.BlossomServer, cfg *Config, slugName string) error {
+	s := &cfg.Blossom.S3
+	ctx := context.Background()
+
+	awsCfg, err := loadAWSConfigForBlossomS3(ctx, s)
+	if err != nil {
+		return fmt.Errorf("aws config: %w", err)
+	}
+
+	client := s3APIClientForBlossomSettings(awsCfg, s)
+	bucket := s.Bucket
+
+	bs.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
+		_, err := client.PutObject(ctx, &s3.PutObjectInput{
+			Bucket: aws.String(bucket),
+			Key:    aws.String(blossomS3ObjectKey(slugName, sha256, s.KeyPrefix)),
+			Body:   bytes.NewReader(body),
+		})
+		return err
+	}
+
+	bs.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
+		out, err := client.GetObject(ctx, &s3.GetObjectInput{
+			Bucket: aws.String(bucket),
+			Key:    aws.String(blossomS3ObjectKey(slugName, sha256, s.KeyPrefix)),
+		})
+		if err != nil {
+			return nil, nil, err
+		}
+		defer out.Body.Close()
+
+		data, err := io.ReadAll(out.Body)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		return bytes.NewReader(data), nil, nil
+	}
+
+	bs.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
+		_, err := client.DeleteObject(ctx, &s3.DeleteObjectInput{
+			Bucket: aws.String(bucket),
+			Key:    aws.String(blossomS3ObjectKey(slugName, sha256, s.KeyPrefix)),
+		})
+		return err
+	}
+
+	return nil
 }
 
 func (bl *BlossomStore) Enable(instance *Instance) {
@@ -60,95 +141,15 @@ func (bl *BlossomStore) Enable(instance *Instance) {
 		ServiceURL: "https://" + bl.Config.Host,
 	}
 
-	fs := strings.ToLower(strings.TrimSpace(bl.Config.Blossom.FileStorage))
-	if fs == "" {
-		fs = "local"
-	}
-
-	switch fs {
+	switch bl.Config.Blossom.Backend {
 	case "local":
-		dir := filepath.Join(Env("MEDIA"), slugName)
-		osfs := afero.NewOsFs()
-		_ = osfs.MkdirAll(dir, 0755)
-
-		backend.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
-			file, err := osfs.Create(filepath.Join(dir, sha256))
-			if err != nil {
-				return err
-			}
-
-			if _, err := io.Copy(file, bytes.NewReader(body)); err != nil {
-				return err
-			}
-
-			return nil
-		}
-
-		backend.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
-			file, err := osfs.Open(filepath.Join(dir, sha256))
-			if err != nil {
-				return nil, nil, err
-			}
-			return file, nil, nil
-		}
-
-		backend.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
-			return osfs.Remove(filepath.Join(dir, sha256))
-		}
-
+		attachBlossomLocalBlobs(backend, slugName)
 	case "s3":
-		client, err := newBlossomS3Client(context.Background(), bl.Config)
-		if err != nil {
-			log.Fatalf("blossom: s3 client: %v", err)
+		if err := attachBlossomS3Blobs(backend, bl.Config, slugName); err != nil {
+			log.Fatalf("blossom: s3: %v", err)
 		}
-
-		bucket := strings.TrimSpace(bl.Config.Blossom.S3.Bucket)
-		makeKey := func(sha string) string {
-			prefix := strings.Trim(strings.TrimSpace(bl.Config.Blossom.S3.KeyPrefix), "/")
-			rel := slugName + "/" + sha
-			if prefix != "" {
-				return prefix + "/" + rel
-			}
-			return rel
-		}
-
-		backend.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
-			_, err := client.PutObject(ctx, &s3.PutObjectInput{
-				Bucket: aws.String(bucket),
-				Key:    aws.String(makeKey(sha256)),
-				Body:   bytes.NewReader(body),
-			})
-			return err
-		}
-
-		backend.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
-			out, err := client.GetObject(ctx, &s3.GetObjectInput{
-				Bucket: aws.String(bucket),
-				Key:    aws.String(makeKey(sha256)),
-			})
-			if err != nil {
-				return nil, nil, err
-			}
-			defer out.Body.Close()
-
-			data, err := io.ReadAll(out.Body)
-			if err != nil {
-				return nil, nil, err
-			}
-
-			return bytes.NewReader(data), nil, nil
-		}
-
-		backend.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
-			_, err := client.DeleteObject(ctx, &s3.DeleteObjectInput{
-				Bucket: aws.String(bucket),
-				Key:    aws.String(makeKey(sha256)),
-			})
-			return err
-		}
-
 	default:
-		log.Fatalf("blossom: unknown file_storage %q (use local or s3)", bl.Config.Blossom.FileStorage)
+		log.Fatalf("blossom: unknown backend %q (use local or s3)", bl.Config.Blossom.Backend)
 	}
 
 	backend.RejectUpload = func(ctx context.Context, auth *nostr.Event, size int, ext string) (bool, string, int) {

zooid/config.go

@@ -46,9 +46,9 @@ type Config struct {
 	} `toml:"management" json:"management"`
 
 	Blossom struct {
-		Enabled     bool              `toml:"enabled" json:"enabled"`
-		FileStorage string            `toml:"file_storage" json:"file_storage"`
-		S3          BlossomS3Settings `toml:"s3" json:"s3"`
+		Enabled bool              `toml:"enabled" json:"enabled"`
+		Backend string            `toml:"backend" json:"backend"`
+		S3      BlossomS3Settings `toml:"s3" json:"s3"`
 	} `toml:"blossom" json:"blossom"`
 
 	Livekit struct {
@@ -60,21 +60,19 @@ type Config struct {
 	Roles map[string]Role `toml:"roles" json:"roles"`
 
 	// Private/parsed values
-	path               string
-	secret             nostr.SecretKey
-	blossomS3SecretKey string
+	path   string
+	secret nostr.SecretKey
 }
 
 // BlossomS3Settings configures S3-compatible object storage for Blossom blobs
-// when [blossom] file_storage is "s3".
+// when [blossom] backend is "s3".
 type BlossomS3Settings struct {
-	Endpoint     string `toml:"endpoint" json:"endpoint"`
-	Region       string `toml:"region" json:"region"`
-	Bucket       string `toml:"bucket" json:"bucket"`
-	AccessKey    string `toml:"access_key" json:"access_key"`
-	SecretKey    string `toml:"secret_key" json:"secret_key"`
-	KeyPrefix    string `toml:"key_prefix" json:"key_prefix"`
-	UsePathStyle bool   `toml:"use_path_style" json:"use_path_style"`
+	Endpoint  string `toml:"endpoint" json:"endpoint"`
+	Region    string `toml:"region" json:"region"`
+	Bucket    string `toml:"bucket" json:"bucket"`
+	AccessKey string `toml:"access_key" json:"access_key"`
+	SecretKey string `toml:"secret_key" json:"secret_key"`
+	KeyPrefix string `toml:"key_prefix" json:"key_prefix"`
 }
 
 func LoadConfig(filename string) (*Config, error) {
@@ -89,6 +87,8 @@ func LoadConfigFromPath(path string) (*Config, error) {
 		return nil, fmt.Errorf("Failed to parse config file %s: %w", path, err)
 	}
 
+	normalizeBlossomConfig(&config)
+
 	if config.Host == "" {
 		return nil, fmt.Errorf("host is required")
 	}
@@ -113,9 +113,6 @@ func LoadConfigFromPath(path string) (*Config, error) {
 	config.Secret = ""
 	config.secret = secret
 
-	config.blossomS3SecretKey = strings.TrimSpace(config.Blossom.S3.SecretKey)
-	config.Blossom.S3.SecretKey = ""
-
 	if err := validateBlossomFileStorage(&config); err != nil {
 		return nil, err
 	}
@@ -123,33 +120,45 @@ func LoadConfigFromPath(path string) (*Config, error) {
 	return &config, nil
 }
 
+func normalizeBlossomConfig(c *Config) {
+	s := &c.Blossom.S3
+	s.Region = strings.TrimSpace(s.Region)
+	s.Bucket = strings.TrimSpace(s.Bucket)
+	s.AccessKey = strings.TrimSpace(s.AccessKey)
+	s.SecretKey = strings.TrimSpace(s.SecretKey)
+	s.Endpoint = strings.TrimRight(strings.TrimSpace(s.Endpoint), "/")
+	s.KeyPrefix = strings.Trim(strings.TrimSpace(s.KeyPrefix), "/")
+
+	c.Blossom.Backend = strings.ToLower(strings.TrimSpace(c.Blossom.Backend))
+	if c.Blossom.Backend == "" {
+		c.Blossom.Backend = "local"
+	}
+}
+
 func validateBlossomFileStorage(c *Config) error {
 	if !c.Blossom.Enabled {
 		return nil
 	}
-	fs := strings.ToLower(strings.TrimSpace(c.Blossom.FileStorage))
-	if fs == "" || fs == "local" {
+	switch c.Blossom.Backend {
+	case "local":
 		return nil
-	}
-	if fs != "s3" {
-		return fmt.Errorf(`blossom.file_storage must be "local", "s3", or empty (defaults to local)`)
+	case "s3":
+		// fall through
+	default:
+		return fmt.Errorf(`blossom.backend must be "local", "s3", or empty (defaults to local)`)
 	}
 	s := c.Blossom.S3
-	if strings.TrimSpace(s.Bucket) == "" {
-		return fmt.Errorf("blossom.s3.bucket is required when blossom.file_storage is s3")
+	if s.Bucket == "" {
+		return fmt.Errorf("blossom.s3.bucket is required when blossom.backend is s3")
 	}
-	if strings.TrimSpace(s.Region) == "" {
-		return fmt.Errorf("blossom.s3.region is required when blossom.file_storage is s3")
+	if s.Region == "" {
+		return fmt.Errorf("blossom.s3.region is required when blossom.backend is s3")
 	}
-	if strings.TrimSpace(s.AccessKey) == "" {
-		return fmt.Errorf("blossom.s3.access_key is required when blossom.file_storage is s3")
+	if s.AccessKey == "" {
+		return fmt.Errorf("blossom.s3.access_key is required when blossom.backend is s3")
 	}
-	secret := strings.TrimSpace(c.blossomS3SecretKey)
-	if secret == "" {
-		secret = strings.TrimSpace(c.Blossom.S3.SecretKey)
-	}
-	if secret == "" {
-		return fmt.Errorf("blossom.s3.secret_key is required when blossom.file_storage is s3")
+	if s.SecretKey == "" {
+		return fmt.Errorf("blossom.s3.secret_key is required when blossom.backend is s3")
 	}
 	return nil
 }
@@ -157,7 +166,6 @@ func validateBlossomFileStorage(c *Config) error {
 func (config *Config) Save() error {
 	// Restore the secret key to the public field for saving
 	config.Secret = config.secret.Hex()
-	config.Blossom.S3.SecretKey = config.blossomS3SecretKey
 
 	file, err := os.Create(config.path)
 	if err != nil {
@@ -172,7 +180,6 @@ func (config *Config) Save() error {
 
 	// Clear the secret again
 	config.Secret = ""
-	config.Blossom.S3.SecretKey = ""
 
 	return nil
 }

zooid/config_test.go

@@ -161,7 +161,8 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 	t.Run("blossom disabled skips validation", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = false
-		c.Blossom.FileStorage = "s3"
+		c.Blossom.Backend = "s3"
+		normalizeBlossomConfig(c)
 		if err := validateBlossomFileStorage(c); err != nil {
 			t.Fatalf("expected nil, got %v", err)
 		}
@@ -170,7 +171,8 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 	t.Run("local storage needs no s3 fields", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = true
-		c.Blossom.FileStorage = "local"
+		c.Blossom.Backend = "local"
+		normalizeBlossomConfig(c)
 		if err := validateBlossomFileStorage(c); err != nil {
 			t.Fatalf("expected nil, got %v", err)
 		}
@@ -179,8 +181,9 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 	t.Run("s3 requires bucket region keys and secret", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = true
-		c.Blossom.FileStorage = "s3"
+		c.Blossom.Backend = "s3"
 		c.Blossom.S3.Region = "us-east-1"
+		normalizeBlossomConfig(c)
 		if err := validateBlossomFileStorage(c); err == nil {
 			t.Fatal("expected error for missing bucket and credentials")
 		}
@@ -188,22 +191,24 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 		c.Blossom.S3.Bucket = "b"
 		c.Blossom.S3.AccessKey = "k"
 		c.Blossom.S3.SecretKey = "s"
+		normalizeBlossomConfig(c)
 		if err := validateBlossomFileStorage(c); err != nil {
 			t.Fatalf("expected nil with all s3 fields set, got %v", err)
 		}
 	})
 
-	t.Run("invalid file_storage value", func(t *testing.T) {
+	t.Run("invalid backend value", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = true
-		c.Blossom.FileStorage = "nfs"
+		c.Blossom.Backend = "nfs"
+		normalizeBlossomConfig(c)
 		if err := validateBlossomFileStorage(c); err == nil {
-			t.Fatal("expected error for unknown file_storage")
+			t.Fatal("expected error for unknown backend")
 		}
 	})
 }
 
-func TestLoadConfigFromPath_BlossomS3SecretRedacted(t *testing.T) {
+func TestLoadConfigFromPath_BlossomS3(t *testing.T) {
 	sk := nostr.Generate()
 	tmp := t.TempDir()
 	path := filepath.Join(tmp, "relay.toml")
@@ -218,7 +223,7 @@ pubkey = "` + sk.Public().Hex() + `"
 
 [blossom]
 enabled = true
-file_storage = "s3"
+backend = "s3"
 
 [blossom.s3]
 region = "auto"
@@ -226,7 +231,6 @@ bucket = "test-bucket"
 access_key = "AKIA"
 secret_key = "topsecret"
 endpoint = "http://127.0.0.1:9000"
-use_path_style = true
 `
 	if err := os.WriteFile(path, []byte(tomlBody), 0644); err != nil {
 		t.Fatal(err)
@@ -236,10 +240,10 @@ use_path_style = true
 	if err != nil {
 		t.Fatalf("LoadConfigFromPath: %v", err)
 	}
-	if cfg.Blossom.S3.SecretKey != "" {
-		t.Error("expected blossom s3 secret_key cleared from loaded struct")
+	if cfg.Blossom.S3.SecretKey != "topsecret" {
+		t.Errorf("expected s3 secret_key retained in struct, got %q", cfg.Blossom.S3.SecretKey)
 	}
-	if cfg.blossomS3SecretKey != "topsecret" {
-		t.Errorf("expected private s3 secret retained, got %q", cfg.blossomS3SecretKey)
+	if cfg.Blossom.Backend != "s3" {
+		t.Errorf("backend: got %q", cfg.Blossom.Backend)
 	}
 }