Authentication for accessing files

sjianu · October 30, 2018, 7:29am

Hello,

I am trying to integrate Uppy into a website and am using Tus in conjunction with it in order to get resumable file uploads. I am currently using tusd as the server and am using its hooks feature in order to check against a SQL database to determine whether or not to accept the upload, among other things such as keeping track of which user uploaded a particular file by storing the upload ID in the database.

I was wondering if there was a way to perform these types of checks when accessing files on the endpoint, not just uploading. The reasoning behind wanting to do this is to prevent users who didn’t upload a particular file as well as logged out users from accessing other users’ potentially sensitive files.

One of the thoughts I had was to create a PHP script and use rewrites in Apache and use it to check if the user has rights to the file against the database before sending them to the file they are trying to access, although I’ve been having a hard time getting this to work properly, especially while still wanting to be compatible with file uploads, as I’m not sure as to how Uppy communicates with the tusd endpoint and if rewrites could potentially cause issues.

My question to you all is, what would be the best approach to implementing a solution that would allow me to limit access to files on the Tus endpoint? I’m curious as to whether or not any of you have attempted the same thing.

Thank you!

marius · November 13, 2018, 9:56am

Hello there, apologies for my delayed response. I hope I am still able to help you.

First of all, tusd is not engineered to be a downloading service. This can be seen in the facts that it has no functionality for caching, partial downloads or authentication for downloads. Therefore, I would encourage you to see if you can download the files from your underlying data storage (e.g. disk, AWS S3) directly and avoid going through tusd.

Anyways, if you still want authentication for tusd downloads you would have to use a proxy, such as Apache, as you already mentioned. I have to admit that I am not very experience in Apache, so I cannot give you concrete hints but rewriting the URLs and then passing the request through PHP seems like a system which can easily break. Did you have a look the authentication/authorization modules for Apache (Authentication and Authorization - Apache HTTP Server Version 2.4)? The mod_authn_dbd and mod_authz_dbd look interesting since they use a SQL database for looking up information about the users.

A small tip for that: tus uploads only use the POST, HEAD and PATCH methods for HTTP. Downloads use the GET method. So if you restrict your rewrites to GET requests, it should not interfere with the uploads.

Topic		Replies	Views
Cannot setup tus and uppy correctly on Apache Tus	1	1363	December 27, 2021
Allow duplicate files whist keeping the resumable feature Tus	1	15	April 24, 2024
Tus PHP server, file overwrite scenario with Uppy Tus	4	22	April 23, 2024
Can I control the s3 bucket for each upload using TUS Tus	5	2860	September 27, 2019
Limit the upload requests of clients based on client URL Tus	3	1834	September 13, 2017

Authentication for accessing files

Related Topics