I am trying to integrate Uppy into a website and am using Tus in conjunction with it in order to get resumable file uploads. I am currently using tusd as the server and am using its hooks feature in order to check against a SQL database to determine whether or not to accept the upload, among other things such as keeping track of which user uploaded a particular file by storing the upload ID in the database.
I was wondering if there was a way to perform these types of checks when accessing files on the endpoint, not just uploading. The reasoning behind wanting to do this is to prevent users who didn’t upload a particular file as well as logged out users from accessing other users’ potentially sensitive files.
One of the thoughts I had was to create a PHP script and use rewrites in Apache and use it to check if the user has rights to the file against the database before sending them to the file they are trying to access, although I’ve been having a hard time getting this to work properly, especially while still wanting to be compatible with file uploads, as I’m not sure as to how Uppy communicates with the tusd endpoint and if rewrites could potentially cause issues.
My question to you all is, what would be the best approach to implementing a solution that would allow me to limit access to files on the Tus endpoint? I’m curious as to whether or not any of you have attempted the same thing.