Turn on Imgix secure/signed images

[simonw]

Right now anyone can build URLs to the Imgix bucket to iterate through pages from PDFs, or to access data in PDFs that we may not even want to publish.

Can use this Imgix signing mechanism to prevent that: https://docs.imgix.com/setup/securing-assets

[simonw]

Here's how to sign them: https://github.com/imgix/imgix-python/blob/fd81a9159e9f1a3dcd32a79632d7b96f28dcbc2b/imgix/urlhelper.py#L123-L149

I want to embed the URLs in the template for ease of hacking, so I won't use their client library directly.

[simonw]

I'm introducing a new IMGIX_SECRET environment variable for the secret.

[simonw]

I turned on signed URLs for the Imgix sfms-history bucket here: https://dashboard.imgix.com/sources/62bea31ce29b088535fe2b6f

Then added the resulting token to Vercel as the IMGIX_SECRET setting here: https://vercel.com/datasette/sfms-history/settings/environment-variables

[simonw]

This works.

• https://sfms-history.imgix.net/INTAKE/J.H.%20Wythe/ScienceofLife.pdf?page=266&w=200&auto=format&s=7c9a742d25c095067e5327a38f1da328 - signed URL, works fine
• https://sfms-history.imgix.net/INTAKE/J.H.%20Wythe/ScienceofLife.pdf?page=266&w=200&auto=format - 403 error