What’s the correct way to serve certain assets to the client, only if that client is logged in as a user?
So far, so good - I’ve been able to set that up. The total, fixed set of images all live in my priv folder, and the JS changes the url of the Image tags’ src attribute accordingly - thus, the required images are served as static files.
But, I’d like this feature, and any of this particular superset of images, to only be available if the user is logged in? I’ve added the standard auth features from phx.gen.auth and combined with LiveView, added the particular page this feature lives on to be scoped under the require_authenticated_user plug etc. But can’t seem to find how/if I can scope certain static file paths (or, rather, the entire folder of all these paths and subpaths) to be piped through the require_authenticated_user plug? I’ve looked online, but found little, and tried experimenting. Maybe I’m going about this wrong though, and it can’t be done?
My other option would be to store all these assets on my database, and have LiveView send them as data to the client, for the JS to display them as images? And it seems this would provide greater security, as what I’m ideally looking for is to hide the assets as much as possible from everything except the clientside JS, so that, say, even when logged in, the user couldn’t simply navigate to the URL of a particular image as an HTTP request, and then save that image.
But, I sensed that serving images like this via my postgres DB would be much more inefficient for several reasons (and so far, my reading has said that to be true) - but I’m a beginner, so can’t say for sure?
Is there a correct procedure for serving certain assets behind a layer of auth security?
Many thanks for all your time and help!