feat(blossom): optional S3-compatible blob storage

zooid/api.go

@@ -358,7 +358,6 @@ func (api *APIHandler) validateConfig(config *Config) error {
 			return fmt.Errorf("invalid info.pubkey: %w", err)
 		}
 	}
-	normalizeBlossomConfig(config)
 	if err := validateBlossomFileStorage(config); err != nil {
 		return err
 	}
@@ -410,7 +409,6 @@ func (api *APIHandler) loadConfigFromPath(path string) (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
-	normalizeBlossomConfig(&config)
 	return &config, nil
 }
 

zooid/blossom.go

@@ -8,6 +8,7 @@ import (
 	"log"
 	"net/url"
 	"path/filepath"
+	"strings"
 
 	"fiatjaf.com/nostr"
 	"fiatjaf.com/nostr/eventstore"
@@ -25,111 +26,29 @@ type BlossomStore struct {
 	Events eventstore.Store
 }
 
-func loadAWSConfigForBlossomS3(ctx context.Context, s *BlossomS3Settings) (aws.Config, error) {
-	return awsconfig.LoadDefaultConfig(ctx,
-		awsconfig.WithRegion(s.Region),
-		awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(s.AccessKey, s.SecretKey, "")),
+func newBlossomS3Client(ctx context.Context, cfg *Config) (*s3.Client, error) {
+	s := cfg.Blossom.S3
+	secret := strings.TrimSpace(cfg.blossomS3SecretKey)
+	if secret == "" {
+		return nil, fmt.Errorf("s3 secret key is not configured")
+	}
+
+	awsCfg, err := awsconfig.LoadDefaultConfig(ctx,
+		awsconfig.WithRegion(strings.TrimSpace(s.Region)),
+		awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(strings.TrimSpace(s.AccessKey), secret, "")),
 	)
-}
-
-func s3APIClientForBlossomSettings(awsCfg aws.Config, s *BlossomS3Settings) *s3.Client {
-	customEndpoint := s.Endpoint != ""
-	return s3.NewFromConfig(awsCfg, func(o *s3.Options) {
-		if customEndpoint {
-			o.BaseEndpoint = aws.String(s.Endpoint)
-			// Custom endpoints (e.g. MinIO) expect path-style addressing.
-			o.UsePathStyle = true
-		}
-	})
-}
-
-func blossomS3ObjectKey(slugName, sha256, keyPrefix string) string {
-	rel := slugName + "/" + sha256
-	if keyPrefix != "" {
-		return keyPrefix + "/" + rel
-	}
-	return rel
-}
-
-func attachBlossomLocalBlobs(bs *blossom.BlossomServer, slugName string) {
-	dir := filepath.Join(Env("MEDIA"), slugName)
-	osfs := afero.NewOsFs()
-	_ = osfs.MkdirAll(dir, 0755)
-
-	bs.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
-		file, err := osfs.Create(filepath.Join(dir, sha256))
-		if err != nil {
-			return err
-		}
-
-		if _, err := io.Copy(file, bytes.NewReader(body)); err != nil {
-			return err
-		}
-
-		return nil
-	}
-
-	bs.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
-		file, err := osfs.Open(filepath.Join(dir, sha256))
-		if err != nil {
-			return nil, nil, err
-		}
-		return file, nil, nil
-	}
-
-	bs.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
-		return osfs.Remove(filepath.Join(dir, sha256))
-	}
-}
-
-func attachBlossomS3Blobs(bs *blossom.BlossomServer, cfg *Config, slugName string) error {
-	s := &cfg.Blossom.S3
-	ctx := context.Background()
-
-	awsCfg, err := loadAWSConfigForBlossomS3(ctx, s)
 	if err != nil {
-		return fmt.Errorf("aws config: %w", err)
+		return nil, err
 	}
 
-	client := s3APIClientForBlossomSettings(awsCfg, s)
-	bucket := s.Bucket
+	endpoint := strings.TrimRight(strings.TrimSpace(s.Endpoint), "/")
 
-	bs.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
-		_, err := client.PutObject(ctx, &s3.PutObjectInput{
-			Bucket: aws.String(bucket),
-			Key:    aws.String(blossomS3ObjectKey(slugName, sha256, s.KeyPrefix)),
-			Body:   bytes.NewReader(body),
-		})
-		return err
-	}
-
-	bs.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
-		out, err := client.GetObject(ctx, &s3.GetObjectInput{
-			Bucket: aws.String(bucket),
-			Key:    aws.String(blossomS3ObjectKey(slugName, sha256, s.KeyPrefix)),
-		})
-		if err != nil {
-			return nil, nil, err
+	return s3.NewFromConfig(awsCfg, func(o *s3.Options) {
+		if endpoint != "" {
+			o.BaseEndpoint = aws.String(endpoint)
 		}
-		defer out.Body.Close()
-
-		data, err := io.ReadAll(out.Body)
-		if err != nil {
-			return nil, nil, err
-		}
-
-		return bytes.NewReader(data), nil, nil
-	}
-
-	bs.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
-		_, err := client.DeleteObject(ctx, &s3.DeleteObjectInput{
-			Bucket: aws.String(bucket),
-			Key:    aws.String(blossomS3ObjectKey(slugName, sha256, s.KeyPrefix)),
-		})
-		return err
-	}
-
-	return nil
+		o.UsePathStyle = s.UsePathStyle
+	}), nil
 }
 
 func (bl *BlossomStore) Enable(instance *Instance) {
@@ -141,15 +60,95 @@ func (bl *BlossomStore) Enable(instance *Instance) {
 		ServiceURL: "https://" + bl.Config.Host,
 	}
 
-	switch bl.Config.Blossom.Backend {
+	fs := strings.ToLower(strings.TrimSpace(bl.Config.Blossom.FileStorage))
+	if fs == "" {
+		fs = "local"
+	}
+
+	switch fs {
 	case "local":
-		attachBlossomLocalBlobs(backend, slugName)
-	case "s3":
-		if err := attachBlossomS3Blobs(backend, bl.Config, slugName); err != nil {
-			log.Fatalf("blossom: s3: %v", err)
+		dir := filepath.Join(Env("MEDIA"), slugName)
+		osfs := afero.NewOsFs()
+		_ = osfs.MkdirAll(dir, 0755)
+
+		backend.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
+			file, err := osfs.Create(filepath.Join(dir, sha256))
+			if err != nil {
+				return err
+			}
+
+			if _, err := io.Copy(file, bytes.NewReader(body)); err != nil {
+				return err
+			}
+
+			return nil
 		}
+
+		backend.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
+			file, err := osfs.Open(filepath.Join(dir, sha256))
+			if err != nil {
+				return nil, nil, err
+			}
+			return file, nil, nil
+		}
+
+		backend.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
+			return osfs.Remove(filepath.Join(dir, sha256))
+		}
+
+	case "s3":
+		client, err := newBlossomS3Client(context.Background(), bl.Config)
+		if err != nil {
+			log.Fatalf("blossom: s3 client: %v", err)
+		}
+
+		bucket := strings.TrimSpace(bl.Config.Blossom.S3.Bucket)
+		makeKey := func(sha string) string {
+			prefix := strings.Trim(strings.TrimSpace(bl.Config.Blossom.S3.KeyPrefix), "/")
+			rel := slugName + "/" + sha
+			if prefix != "" {
+				return prefix + "/" + rel
+			}
+			return rel
+		}
+
+		backend.StoreBlob = func(ctx context.Context, sha256 string, ext string, body []byte) error {
+			_, err := client.PutObject(ctx, &s3.PutObjectInput{
+				Bucket: aws.String(bucket),
+				Key:    aws.String(makeKey(sha256)),
+				Body:   bytes.NewReader(body),
+			})
+			return err
+		}
+
+		backend.LoadBlob = func(ctx context.Context, sha256 string, ext string) (io.ReadSeeker, *url.URL, error) {
+			out, err := client.GetObject(ctx, &s3.GetObjectInput{
+				Bucket: aws.String(bucket),
+				Key:    aws.String(makeKey(sha256)),
+			})
+			if err != nil {
+				return nil, nil, err
+			}
+			defer out.Body.Close()
+
+			data, err := io.ReadAll(out.Body)
+			if err != nil {
+				return nil, nil, err
+			}
+
+			return bytes.NewReader(data), nil, nil
+		}
+
+		backend.DeleteBlob = func(ctx context.Context, sha256 string, ext string) error {
+			_, err := client.DeleteObject(ctx, &s3.DeleteObjectInput{
+				Bucket: aws.String(bucket),
+				Key:    aws.String(makeKey(sha256)),
+			})
+			return err
+		}
+
 	default:
-		log.Fatalf("blossom: unknown backend %q (use local or s3)", bl.Config.Blossom.Backend)
+		log.Fatalf("blossom: unknown file_storage %q (use local or s3)", bl.Config.Blossom.FileStorage)
 	}
 
 	backend.RejectUpload = func(ctx context.Context, auth *nostr.Event, size int, ext string) (bool, string, int) {

zooid/config.go

@@ -46,9 +46,9 @@ type Config struct {
 	} `toml:"management" json:"management"`
 
 	Blossom struct {
-		Enabled bool              `toml:"enabled" json:"enabled"`
-		Backend string            `toml:"backend" json:"backend"`
-		S3      BlossomS3Settings `toml:"s3" json:"s3"`
+		Enabled     bool              `toml:"enabled" json:"enabled"`
+		FileStorage string            `toml:"file_storage" json:"file_storage"`
+		S3          BlossomS3Settings `toml:"s3" json:"s3"`
 	} `toml:"blossom" json:"blossom"`
 
 	Livekit struct {
@@ -60,19 +60,21 @@ type Config struct {
 	Roles map[string]Role `toml:"roles" json:"roles"`
 
 	// Private/parsed values
-	path   string
-	secret nostr.SecretKey
+	path               string
+	secret             nostr.SecretKey
+	blossomS3SecretKey string
 }
 
 // BlossomS3Settings configures S3-compatible object storage for Blossom blobs
-// when [blossom] backend is "s3".
+// when [blossom] file_storage is "s3".
 type BlossomS3Settings struct {
-	Endpoint  string `toml:"endpoint" json:"endpoint"`
-	Region    string `toml:"region" json:"region"`
-	Bucket    string `toml:"bucket" json:"bucket"`
-	AccessKey string `toml:"access_key" json:"access_key"`
-	SecretKey string `toml:"secret_key" json:"secret_key"`
-	KeyPrefix string `toml:"key_prefix" json:"key_prefix"`
+	Endpoint     string `toml:"endpoint" json:"endpoint"`
+	Region       string `toml:"region" json:"region"`
+	Bucket       string `toml:"bucket" json:"bucket"`
+	AccessKey    string `toml:"access_key" json:"access_key"`
+	SecretKey    string `toml:"secret_key" json:"secret_key"`
+	KeyPrefix    string `toml:"key_prefix" json:"key_prefix"`
+	UsePathStyle bool   `toml:"use_path_style" json:"use_path_style"`
 }
 
 func LoadConfig(filename string) (*Config, error) {
@@ -87,8 +89,6 @@ func LoadConfigFromPath(path string) (*Config, error) {
 		return nil, fmt.Errorf("Failed to parse config file %s: %w", path, err)
 	}
 
-	normalizeBlossomConfig(&config)
-
 	if config.Host == "" {
 		return nil, fmt.Errorf("host is required")
 	}
@@ -113,6 +113,9 @@ func LoadConfigFromPath(path string) (*Config, error) {
 	config.Secret = ""
 	config.secret = secret
 
+	config.blossomS3SecretKey = strings.TrimSpace(config.Blossom.S3.SecretKey)
+	config.Blossom.S3.SecretKey = ""
+
 	if err := validateBlossomFileStorage(&config); err != nil {
 		return nil, err
 	}
@@ -120,45 +123,33 @@ func LoadConfigFromPath(path string) (*Config, error) {
 	return &config, nil
 }
 
-func normalizeBlossomConfig(c *Config) {
-	s := &c.Blossom.S3
-	s.Region = strings.TrimSpace(s.Region)
-	s.Bucket = strings.TrimSpace(s.Bucket)
-	s.AccessKey = strings.TrimSpace(s.AccessKey)
-	s.SecretKey = strings.TrimSpace(s.SecretKey)
-	s.Endpoint = strings.TrimRight(strings.TrimSpace(s.Endpoint), "/")
-	s.KeyPrefix = strings.Trim(strings.TrimSpace(s.KeyPrefix), "/")
-
-	c.Blossom.Backend = strings.ToLower(strings.TrimSpace(c.Blossom.Backend))
-	if c.Blossom.Backend == "" {
-		c.Blossom.Backend = "local"
-	}
-}
-
 func validateBlossomFileStorage(c *Config) error {
 	if !c.Blossom.Enabled {
 		return nil
 	}
-	switch c.Blossom.Backend {
-	case "local":
+	fs := strings.ToLower(strings.TrimSpace(c.Blossom.FileStorage))
+	if fs == "" || fs == "local" {
 		return nil
-	case "s3":
-		// fall through
-	default:
-		return fmt.Errorf(`blossom.backend must be "local", "s3", or empty (defaults to local)`)
+	}
+	if fs != "s3" {
+		return fmt.Errorf(`blossom.file_storage must be "local", "s3", or empty (defaults to local)`)
 	}
 	s := c.Blossom.S3
-	if s.Bucket == "" {
-		return fmt.Errorf("blossom.s3.bucket is required when blossom.backend is s3")
+	if strings.TrimSpace(s.Bucket) == "" {
+		return fmt.Errorf("blossom.s3.bucket is required when blossom.file_storage is s3")
 	}
-	if s.Region == "" {
-		return fmt.Errorf("blossom.s3.region is required when blossom.backend is s3")
+	if strings.TrimSpace(s.Region) == "" {
+		return fmt.Errorf("blossom.s3.region is required when blossom.file_storage is s3")
 	}
-	if s.AccessKey == "" {
-		return fmt.Errorf("blossom.s3.access_key is required when blossom.backend is s3")
+	if strings.TrimSpace(s.AccessKey) == "" {
+		return fmt.Errorf("blossom.s3.access_key is required when blossom.file_storage is s3")
 	}
-	if s.SecretKey == "" {
-		return fmt.Errorf("blossom.s3.secret_key is required when blossom.backend is s3")
+	secret := strings.TrimSpace(c.blossomS3SecretKey)
+	if secret == "" {
+		secret = strings.TrimSpace(c.Blossom.S3.SecretKey)
+	}
+	if secret == "" {
+		return fmt.Errorf("blossom.s3.secret_key is required when blossom.file_storage is s3")
 	}
 	return nil
 }
@@ -166,6 +157,7 @@ func validateBlossomFileStorage(c *Config) error {
 func (config *Config) Save() error {
 	// Restore the secret key to the public field for saving
 	config.Secret = config.secret.Hex()
+	config.Blossom.S3.SecretKey = config.blossomS3SecretKey
 
 	file, err := os.Create(config.path)
 	if err != nil {
@@ -180,6 +172,7 @@ func (config *Config) Save() error {
 
 	// Clear the secret again
 	config.Secret = ""
+	config.Blossom.S3.SecretKey = ""
 
 	return nil
 }

zooid/config_test.go

@@ -161,8 +161,7 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 	t.Run("blossom disabled skips validation", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = false
-		c.Blossom.Backend = "s3"
-		normalizeBlossomConfig(c)
+		c.Blossom.FileStorage = "s3"
 		if err := validateBlossomFileStorage(c); err != nil {
 			t.Fatalf("expected nil, got %v", err)
 		}
@@ -171,8 +170,7 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 	t.Run("local storage needs no s3 fields", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = true
-		c.Blossom.Backend = "local"
-		normalizeBlossomConfig(c)
+		c.Blossom.FileStorage = "local"
 		if err := validateBlossomFileStorage(c); err != nil {
 			t.Fatalf("expected nil, got %v", err)
 		}
@@ -181,9 +179,8 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 	t.Run("s3 requires bucket region keys and secret", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = true
-		c.Blossom.Backend = "s3"
+		c.Blossom.FileStorage = "s3"
 		c.Blossom.S3.Region = "us-east-1"
-		normalizeBlossomConfig(c)
 		if err := validateBlossomFileStorage(c); err == nil {
 			t.Fatal("expected error for missing bucket and credentials")
 		}
@@ -191,24 +188,22 @@ func TestValidateBlossomFileStorage(t *testing.T) {
 		c.Blossom.S3.Bucket = "b"
 		c.Blossom.S3.AccessKey = "k"
 		c.Blossom.S3.SecretKey = "s"
-		normalizeBlossomConfig(c)
 		if err := validateBlossomFileStorage(c); err != nil {
 			t.Fatalf("expected nil with all s3 fields set, got %v", err)
 		}
 	})
 
-	t.Run("invalid backend value", func(t *testing.T) {
+	t.Run("invalid file_storage value", func(t *testing.T) {
 		c := &Config{}
 		c.Blossom.Enabled = true
-		c.Blossom.Backend = "nfs"
-		normalizeBlossomConfig(c)
+		c.Blossom.FileStorage = "nfs"
 		if err := validateBlossomFileStorage(c); err == nil {
-			t.Fatal("expected error for unknown backend")
+			t.Fatal("expected error for unknown file_storage")
 		}
 	})
 }
 
-func TestLoadConfigFromPath_BlossomS3(t *testing.T) {
+func TestLoadConfigFromPath_BlossomS3SecretRedacted(t *testing.T) {
 	sk := nostr.Generate()
 	tmp := t.TempDir()
 	path := filepath.Join(tmp, "relay.toml")
@@ -223,7 +218,7 @@ pubkey = "` + sk.Public().Hex() + `"
 
 [blossom]
 enabled = true
-backend = "s3"
+file_storage = "s3"
 
 [blossom.s3]
 region = "auto"
@@ -231,6 +226,7 @@ bucket = "test-bucket"
 access_key = "AKIA"
 secret_key = "topsecret"
 endpoint = "http://127.0.0.1:9000"
+use_path_style = true
 `
 	if err := os.WriteFile(path, []byte(tomlBody), 0644); err != nil {
 		t.Fatal(err)
@@ -240,10 +236,10 @@ endpoint = "http://127.0.0.1:9000"
 	if err != nil {
 		t.Fatalf("LoadConfigFromPath: %v", err)
 	}
-	if cfg.Blossom.S3.SecretKey != "topsecret" {
-		t.Errorf("expected s3 secret_key retained in struct, got %q", cfg.Blossom.S3.SecretKey)
+	if cfg.Blossom.S3.SecretKey != "" {
+		t.Error("expected blossom s3 secret_key cleared from loaded struct")
 	}
-	if cfg.Blossom.Backend != "s3" {
-		t.Errorf("backend: got %q", cfg.Blossom.Backend)
+	if cfg.blossomS3SecretKey != "topsecret" {
+		t.Errorf("expected private s3 secret retained, got %q", cfg.blossomS3SecretKey)
 	}
 }