Security question: how to validate the download url

[sebakerckhof]

I like the idea of uploading directly to the storage service instead of the data passing through my server.

However, this way, we have to give control to the user to tell us what the download url actually is. E.g. from the readme:

var uploader = new Slingshot.Upload("myFileUploads");

uploader.send(document.getElementById('input').files[0], function (error, downloadUrl) {
  if (error) {
    // Log service detailed response.
    console.error('Error uploading', uploader.xhr.response);
    alert (error);
  }
  else {
    Meteor.users.update(Meteor.userId(), {$push: {"profile.files": downloadUrl}});
  }
});

So the user could enter any URL, even if what is at that URL does not abide by our validation rules for the directive. Which, depending on what you do with the resulting url, might be dangerous.

Is there any way for example to let S3 ping our server when an upload is done, by incorporating a 'notify-on-upload-complete url' in the directive (just making something up here) ?

[KaitaniLabs]

It looks like you can setup event notifications on your S3 bucket to ping to all kinds of places including email, sms and an HTTP endpoint.