fix:use signed R2 URLs for uploaded media

- uploadToR2 now returns storage path instead of a: full URL. - Generate
signed R2 URLs (24h expiration) for images, thumbnails, and videos in
media processor and when loading finds. - Update CSP to allow
*.r2.cloudflarestorage.com for img-src

src/lib/server/media-processor.ts

@@ -1,5 +1,5 @@
 import sharp from 'sharp';
-import { uploadToR2 } from './r2';
+import { uploadToR2, getSignedR2Url } from './r2';
 
 const THUMBNAIL_SIZE = 400;
 const MAX_IMAGE_SIZE = 1920;
@@ -41,11 +41,17 @@ export async function processAndUploadImage(
 		type: 'image/jpeg'
 	});
 
-	const [url, thumbnailUrl] = await Promise.all([
+	const [imagePath, thumbPath] = await Promise.all([
 		uploadToR2(imageFile, `${filename}.jpg`, 'image/jpeg'),
 		uploadToR2(thumbFile, `${filename}-thumb.jpg`, 'image/jpeg')
 	]);
 
+	// Generate signed URLs (24 hour expiration for images)
+	const [url, thumbnailUrl] = await Promise.all([
+		getSignedR2Url(imagePath, 24 * 60 * 60), // 24 hours
+		getSignedR2Url(thumbPath, 24 * 60 * 60) // 24 hours
+	]);
+
 	return { url, thumbnailUrl };
 }
 
@@ -58,7 +64,10 @@ export async function processAndUploadVideo(
 	const filename = `finds/${findId}/video-${index}-${timestamp}.mp4`;
 
 	// Upload video directly (no processing on server to save resources)
-	const url = await uploadToR2(file, filename, 'video/mp4');
+	const videoPath = await uploadToR2(file, filename, 'video/mp4');
+
+	// Generate signed URL for video (24 hour expiration)
+	const url = await getSignedR2Url(videoPath, 24 * 60 * 60);
 
 	// For video thumbnail, generate on client-side or use placeholder
 	// This keeps server-side processing minimal

src/lib/server/r2.ts

@@ -48,7 +48,7 @@ export async function uploadToR2(file: File, path: string, contentType: string):
 		})
 	);
 
-	return `${R2_PUBLIC_URL}/${path}`;
+	return path;
 }
 
 export async function deleteFromR2(path: string): Promise<void> {