Incoming media uploaded to S3 with public-read ACL by default

[ThiagoBauken]

Summary

All media uploaded to S3 is set ACL: public-read, making every received WhatsApp file world-readable to anyone who knows (or guesses) the URL.

Details

// s3manager.go:279
input := &s3.PutObjectInput{
    ...
    ACL: types.ObjectCannedACLPublicRead,
}

Object keys follow a predictable pattern (users/{userID}/inbox/{contactJID}/.../{messageID}.ext). On S3-compatible backends without a bucket-level public-access block (common with MinIO / self-hosted), end-user media (images, documents, audio) is publicly accessible.

Proposed fix

Make access control configurable instead of always public:

• default to private objects and serve media via presigned GET URLs with a configurable TTL (GetPublicURL would call PresignGetObject); or
• keep an explicit opt-in s3_public_read flag for users who want public objects + a CDN.

This is a behavior change (some users rely on the static public URL), so it likely needs a flag + migration note — filing first to agree on the default. Happy to PR.

Location

• s3manager.go:279 (and GetPublicURL)

[ThiagoBauken]

Tested implementation ready. It adds an -s3publicread flag (and WUZAPI_S3_PUBLIC_READ env) that selects the upload ACL:

• default true → keeps today's public-read behavior, so no surprise for current users relying on the public URLs
• false → uploads private (ACL: private); media is then only reachable via presigned URLs / bucket policy

Same kind of question as #314: opt-in (default public, fully backward-compatible) or flip to private-by-default? I defaulted to public to avoid breaking existing integrations, but private-by-default is the safer posture if you're OK with the behavior change for new deployments. Your call — I'll send the PR to match whichever you prefer.