In my Java backend, I generate a new signed URL every time my frontend loads/reloads. For testing purposes, I hardcoded the expiration date. The expiration date/time has passed and the URL is expiring as expected, but my frontend application is still able to show the object using the URL I passed to it.
Here's the backend code which gets executed on every refresh:
String signedUrl = CloudFrontUrlSigner.getSignedURLWithCannedPolicy(SignerUtils.Protocol.https,
distributionDomain, new File(privateKeyFilePath), s3ObjectKey, "my-keypair-id",
DateUtils.parseISO8601Date("2021-02-10T14:41:00.000Z"));
On my frontend, I simply add the signedUrl to an Image tag:
<Image style={styles.img} source={{ uri: img }} />
If I go to the browser and manually paste my signedUrl, I can see it says access denied, due to the expiration.
I figured I'd try some other things to see the behavior. I changed my bucket policy to completely private and tried pulling the images just from the S3 URLs and through my browser, it was blocked as expected but, from my application this was working. Then, I tried the same, except from the beta version of my app in the Android play store. Here, the images were behaving as expected. When I blocked public access, they'd disappear, and vice versa.
I ended up uninstalling the local version of my app from my phone, reinstalling it, and now it works as expected with the img not appearing due to the expiration date being in the past. Don't know what was happening there.