Disable S3 presigned when custom domain is set

[BasixKOR]

Describe the bug
I have set up a custom domain for S3 which is an CDN cache with AWS authentication enabled, but Authentik generates an presigned URL, causing it to fail.

To Reproduce
Steps to reproduce the behavior:

1. Get a free trial on BunnyCDN.
2. Connect your S3 bucket as an origin for new CDN.
3. Configure the CDN to enable S3 Authentication.
4. Use S3 bucket as an media backend, with AUTHENTIK_STORAGE__MEDIA__S3__CUSTOM_DOMAIN set to BunnyCDN instance earlier.
5. See error

Expected behavior
Authentik should not include the signature, or provide an option to disable it.

Screenshots

If applicable, add screenshots to help explain your problem.

Logs
The error is on client-side; there are no relevant server log.

Version and Deployment (please complete the following information):

• authentik version: 2024.12.1
• Deployment: docker-compose

Additional context
I wasn't sure if this is a bug report or a feature request; feel free to move to either category.

[rissson]

Presigned URLs are the only way authentik can authenticate those accesses. Granted, for application icons it doesn't really matter if they are public, but we shouldn't assume they should always be. Furthermore, I don't think you need a CDN for the amount of access that those will get.