shahryarjb
Downloading with user token
Hello, I am creating a LMS that lets the user to download file. The user need the file should send me his token and after validating I let him download whatever he needs.
Now how can I stop user from downloading directly? because files are uploaded by admin in ftp, and ftp path is in my server
I don’t know where I can start?
Thanks
Most Liked
cnck1387
To protect files in the past (and will be likely how I will do it in an upcoming Phoenix app) would be similar to how I do it with other tech stacks. I let nginx deal with it for the most part, while still doing authentication / authorization within Phoenix.
I’d keep the protected files outside of the main static assets folder.
Then have an “internal” location block in my nginx config like this:
location /supersecrets/download/ {
internal;
alias /supersecrets/;
}
Then for the download route at the Phoenix level, I’d authorize the download with a token and before I send the response, I’d set the Content-Disposition, X-Accel-Redirect and Content-Type headers which basically tells Phoenix to let nginx serve the file.
Here’s what that looks like in Python:
response.headers['Content-Disposition'] = "attachment; filename=foo.zip"
response.headers['X-Accel-Redirect'] = '/supersecrets/download/foo.zip'
response.headers['Content-Type'] = 'application/octet-stream'
Of course you can change foo.zip to whatever file you’re serving.
I used this exact strategy like 5 years ago to serve a bunch of protected content and it held up very well.
wolfiton
You can start by storing your files in your application in the assets folder then add authorization that only one type of user can download unlimited that file(ex: admin can download but user can’t).
If this scenario doesn’t work, then you can create a field in the user tables called plan. When a user pays you update the plan to paid. Then create a rule that only users with a paid plan can download files.
If you want to be even more specific then you will have to create another table with all the files structure like this:
- id
- file_name
Then create a join between the user tables with the files tables and verify each user to what file they belong
Also you will have to setup a payment system paypal stripe etc.
Also this link may provide some help Phoenix file download
outlog
I would “proxy” the download through phoenix..
user buys product - you persist purchase in DB
user hits /download_file/#{file_id}
phoenix verifies the login/session and purchase and then reads the file (or streams it) and sends it to the user
if you have multiple files just show a list of files and then the user can download on /download_file/#{file_id}
that way the user never gets a direct link and if the user shares the link /download_file/#{file_id} - the “stranger” clicking it will fail on having a session/logged in - and will fail on the purchase.. so it doesnt work..
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









