Implement direct S3 uploads with async thumbnail generation

[Copilot]

Eliminates WordPress server as upload intermediary by implementing browser-to-S3 direct uploads via pre-signed URLs. Thumbnails generate asynchronously via WP-Cron to avoid blocking the upload path.

Upload Flow

• S3Client: Added generatePresignedUploadUrl() with configurable expiration (capped at 24h) and support for bucket-owner-enforced mode
• DirectUploadHandler: AJAX endpoints for pre-signed URL generation and attachment creation
• JavaScript: Overrides wp.Uploader.uploadFile() to PUT directly to S3, falls back to traditional upload on failure
• MediaHandler: No changes to existing traditional upload path, which continues working

// Intercepts plupload, uploads via XMLHttpRequest to S3
xhr.open('PUT', presignedUrl, true);
xhr.send(fileBlob);

Thumbnail Processing

• ThumbnailProcessor: Queue-based system pulls files from S3 to temp storage, generates thumbnails, pushes back to S3
• WP-Cron: Processes queue every 10s with transient-based locking to prevent concurrent execution
• CLI: wp wp-cloud-files process-thumbnails for manual processing
• Queue stored as non-autoloaded option; updated per-item in CLI to handle interruptions

Security

• Path traversal validation (rejects .. and \)
• File size validation against wp_max_upload_size()
• Nonce verification with explicit return value checks
• Pre-signed URL expiration bounds enforced

Configuration

New optional constant for S3 buckets with ACLs disabled:

define('S3_BUCKET_OWNER_ENFORCED', true);

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Direct S3 uploads</issue_title>
<issue_description>Rather than allowing files to be uploaded to the WordPress server and moving them to S3 afterwards, we should first clients to upload directly to the S3 server using pre-signed S3 URLs.

For thumbnails, we may implement client side thumbnailing at some point, but for now we should use the same method as the CLI thumbnail regeneration. Pull the file from S3 into temporary storage, generate the thumbnails, push them back up to S3, and save the final links to metadata. This should be a cron-driven process, so the client process isnt slowed down. </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Direct S3 uploads #1

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.