Client makes request to server passing back auth token, server verifies auth token and uses the S3 library to generate a unique 1 time use URL for upload directly to the client. Client makes a put request to the s3 url. After it's finished s3 revokes the URL.

Multipart signed upload is much harder and requires signing every chunk.

Just google s3 signed upload there are a few tutorials from Amazon.