Prevent unauthenticated user access via URL?

Hello,

I would like to move to cloud storage. My app currently serves private assets from a local hard drive, and only for authenticated users (password login + user session).

Using cloud storage, I cannot find a way to prevent an unauthenticated user from accessing a private asset, as my app now generates a URL of the following form:

https://S3_URL(not controlled by me thus problematic)/MY_FILE
  ?X-Amz-Algorithm=XXX
  &X-Amz-Credential=XXX
  &X-Amz-Date=XXX
  &X-Amz-Expires=900
  &X-Amz-SignedHeaders=host
  &X-Amz-Signature=XXX

Anybody having access to this URL can now access the private resource (leakage of data via URL sharing is now possible)

I understand this isn’t a shrine specific problem, I’m mainly confused and looking for advise/ideas on how to prevent this.

Thanks for any feedback

If the expiring URLs don’t provide sufficient security for you, you can use the download_endpoint plugin to stream files through your app (or redirect to S3).

Since this endpoint is mounted in your Rails router, you can then use route-level authentication constraints around it, such as Devise’s #authenticated.

That’s fantastic, thanks! Somehow I missed it in the documentation (sorry).

Have a great day

1 Like