Support attachments in room requests updates + multiregion s3 for assets bucket (#367)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Multi-region asset buckets with lifecycle, intelligent tiering, CORS,
and a reusable asset access policy (ARN exposed).
  * Presigned S3 upload and download endpoints/flows for attachments.

* **Enhancements**
* UI: dropzone attachments with MIME/size validation, upload on status
change, per-item download buttons.
* Config: assets bucket id added; data retention extended from 2→4
years.
  * Lambda modules can accept and attach asset IAM policies.

* **Tests**
  * Unit tests for presign helpers and attachment flows.

* **Chores**
  * Added S3 presigner/client and UI dropzone dependencies.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: devksingh4

src/api/functions/s3.ts

@@ -0,0 +1,74 @@
+import {
+  GetObjectCommand,
+  PutObjectCommand,
+  type S3Client,
+} from "@aws-sdk/client-s3";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+import { InternalServerError } from "common/errors/index.js";
+
+export type CreatePresignedPutInputs = {
+  s3client: S3Client;
+  bucketName: string;
+  key: string;
+  length: number;
+  mimeType: string;
+  md5hash?: string; // Must be a base64-encoded MD5 hash
+  urlExpiresIn?: number;
+};
+
+export async function createPresignedPut({
+  s3client,
+  bucketName,
+  key,
+  length,
+  mimeType,
+  md5hash,
+  urlExpiresIn,
+}: CreatePresignedPutInputs) {
+  const command = new PutObjectCommand({
+    Bucket: bucketName,
+    Key: key,
+    ContentLength: length,
+    ContentType: mimeType,
+    ContentMD5: md5hash,
+  });
+
+  const expiresIn = urlExpiresIn || 900;
+
+  try {
+    return await getSignedUrl(s3client, command, { expiresIn });
+  } catch (err) {
+    throw new InternalServerError({
+      message: "Could not create S3 upload presigned url.",
+    });
+  }
+}
+
+export type CreatePresignedGetInputs = {
+  s3client: S3Client;
+  bucketName: string;
+  key: string;
+  urlExpiresIn?: number;
+};
+
+export async function createPresignedGet({
+  s3client,
+  bucketName,
+  key,
+  urlExpiresIn,
+}: CreatePresignedGetInputs) {
+  const command = new GetObjectCommand({
+    Bucket: bucketName,
+    Key: key,
+  });
+
+  const expiresIn = urlExpiresIn || 900;
+
+  try {
+    return await getSignedUrl(s3client, command, { expiresIn });
+  } catch (err) {
+    throw new InternalServerError({
+      message: "Could not create S3 download presigned url.",
+    });
+  }
+}

src/api/package.json

@@ -15,6 +15,8 @@
     "prettier:write": "prettier --write *.ts **/*.ts"
   },
   "dependencies": {
+    "@aws-sdk/s3-request-presigner": "^3.914.0",
+    "@aws-sdk/client-s3": "^3.914.0",
     "@aws-sdk/client-dynamodb": "^3.914.0",
     "@aws-sdk/client-lambda": "^3.914.0",
     "@aws-sdk/client-secrets-manager": "^3.914.0",

src/api/routes/membership.ts

@@ -1,7 +1,6 @@
 import {
   checkExternalMembership,
   checkPaidMembershipFromTable,
-  setPaidMembershipInTable,
   MEMBER_CACHE_SECONDS,
   getExternalMemberList,
   patchExternalMemberList,
@@ -13,18 +12,9 @@ import {
   InternalServerError,
   ValidationError,
 } from "common/errors/index.js";
-import { getEntraIdToken } from "api/functions/entraId.js";
-import { genericConfig, roleArns } from "common/config.js";
-import { getRoleCredentials } from "api/functions/sts.js";
-import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
-import {
-  BatchWriteItemCommand,
-  DynamoDBClient,
-  QueryCommand,
-  ScanCommand,
-} from "@aws-sdk/client-dynamodb";
+import { genericConfig } from "common/config.js";
+import { ScanCommand } from "@aws-sdk/client-dynamodb";
 import rateLimiter from "api/plugins/rateLimiter.js";
-import { createCheckoutSession } from "api/functions/stripe.js";
 import { getSecretValue } from "api/plugins/auth.js";
 import stripe, { Stripe } from "stripe";
 import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";

src/api/routes/mobileWallet.ts

@@ -2,7 +2,6 @@ import { FastifyPluginAsync } from "fastify";
 import {
   InternalServerError,
   UnauthenticatedError,
-  ValidationError,
 } from "../../common/errors/index.js";
 import * as z from "zod/v4";
 import { checkPaidMembershipFromTable } from "../functions/membership.js";
@@ -16,10 +15,6 @@ import rateLimiter from "api/plugins/rateLimiter.js";
 import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import { withTags } from "api/components/index.js";
 
-const queuedResponseJsonSchema = z.object({
-  queueId: z.string().uuid(),
-});
-
 const mobileWalletRoute: FastifyPluginAsync = async (fastify, _options) => {
   fastify.register(rateLimiter, {
     limit: 5,