Pass files from Amazon S3 through NodeJS server without exposing S3 URL?

A combination of an express middleware (to check the authorization of the user making the request) and the use of the Node AWS SDK should do the trick.

Here is a full example using multer for the upload.

var express = require('express');var app = express();var router = express.Router();var multer = require('multer');var upload = multer({  dest: "tmp/"});var fs = require('fs');var async = require('async');var AWS = require('aws-sdk');// Configure AWS SDK herevar s3 = new AWS.s3({  params: {    Bucket: 'xxx'  }});/** * Authentication middleware * * It will be called for any routes starting with /files */app.use("/files", function (req, res, next) {  var authorized = true; // use custom logic here  if (!authorized) {    return res.status(403).end("not authorized");  }  next();});// Route for the uploadapp.post("/files/upload", upload.single("form-field-name"), function (req, res) {  var fileInfo = console.log(req.file);  var fileStream = fs.readFileSync(fileInfo.path);  var options = {    Bucket: 'xxx',    Key: 'yyy/'+fileName,    Body: fileStream  };  s3.upload(options, function (err) {    // Remove the temporary file    fs.removeFileSync("tmp/"+fileInfo.path); // ideally use the async version    if (err) {      return res.status(500).end("Upload to s3 failed");    }    res.status(200).end("File uploaded");  });});// Route for the downloadapp.get("/files/download/:name", function (req, res) {  var fileName = req.params.name;  if (!fileName) {    return res.status(400).end("missing file name");  }  var options = {    Bucket: 'xxx',    Key: 'yyy/'+fileName  };  res.attachment(fileName);  s3.getObject(options).createReadStream().pipe(res);});app.listen(3000);

Obviously this is only partially tested and lacks of proper error handling - but it hopefully it should give you a rough idea of how to implement it.

You can use S3 REST API. It will allows you to make signed request to GET or PUT your bucket's objects directly from your backend.

The principle is similar from the one described in your link. Your backend need to use the AWS JS SDK to create a signed URL to manipulate an object. You are free to do any check you want prior or after requesting something from S3 in your Express routes.

Here is a simple GET example (it is not fully functional, just the main idea):

...[assume that you are in an express route with req/res objects]...var aws = require('aws-sdk'),  s3 = new aws.S3();aws.config.region = 'your_region';aws.config.credentials = {  accessKeyId: 'your_key',  secretAccessKey: 'your_secret'};s3.getSignedUrl('getObject', {Bucket: 'your_bucket', Key: 'your_file_name', Expires: 3600}, function (error, url) {  if (error || !url) {    //error while creating the URL    res.status(500).end();  } else {    //make a request to the signed URL to get the file and pipe the res to the client    request({      url: url    }).pipe(res);  }});

You will here find more examples from Amazon.