I’m looking to use ActiveStorage Direct Uploads in a project and I’m struggling to understand how the default configuration is safe.
As I read it, any user can create a new direct upload by calling DirectUploadController#create. They then receive a URL and/or authentication information for uploading the contents of the blob to your storage service. Couldn’t someone simply keep making calls to DirectUploadController#create and keep uploading more and more blobs to the storage service and never attaching any of those blobs?
Is that safe? Is there a risk of a user getting a super large bill from say S3 because a script kept sending blobs? Or maybe this is a similar level of risk as someone creating new database records on a rails site as well, I’m not sure.
Any thoughts on this? Am I looking at this problem totally wrong or is there something I’m not seeing?