[Feature]: Short-lived unauthenticated access to certain resources

[emma-sg]

What change would you like to see?

We should allow users to generate a short-lived URL for a resource (probably just collections, maybe also collection downloads?) that would allow anyone with the url to access the resource but only for a short time (say, 12h) before a new URL would have to be generated. This would be analogous to presigned S3 URLs, where a user can generate a resource url from an API call by passing the resource id (and maybe some parameters about validity time), and get back a URL for that resource that bypasses the need for authentication that they can then use however they like until it expires.

For collections specifically, we could generate an expiring "share" url with an accompanying pre-signed WACZ url with the same expiry, and persist them in Mongo with an expiration set.

Context

There are use cases where our own planned collection publishing features won't be enough for more advanced use cases for some users — for example, locking content behind a custom password or any other type of check or verification.

We'd talked about this enabling use cases for adult content sharing, where maybe a collection could be private but a user could implement their own eligibility checks and provide access to a collection based on that, and use short-lived sharing URLs to allow access without users being able to then share the resulting URL to bypass those checks beyond the expiration date of the URL.

We have some precedent with these types of features:

• We already use S3 presigned URLs for collection downloads
• User invites function this way already, where an invite code is generated an expires after some time (I think a week?). The invite token bypasses the need for authentication (well, or serves as authentication) when getting a new user signed up.

Discord discussion

cc @tw4l