How do you limit files download to authenticated users only?

How do you limit file download to authorised users only, even if they have a direct link?

I am working on app with options to upload files and share them among users, but my challenge is that a user can access the file without signing in, if they have the link or file path. I want to limit file access to only those who are logged in so that I can control who can see what file.

How can I achieve that in Phoenix? An example would be helpful.

Use mix phx.gen.auth and have a look at the files it generated.

To clarify, do you want:

  • Unauthorized users can view but not download
  • Unauthorized users cannot view or download

If you want the second option, then its pretty straight forward as you can just make authorized routes in the router.

If you run mix.gen.auth you will get something like the below in the router.

  scope "/", AppWeb do
    pipe_through [:browser, :require_authenticated_user]
  
    live_session :require_authenticated_user,
      on_mount: [{AppWeb.UserAuth, :ensure_authenticated}] do

Routes within the above scope will get automatically redirected if the user fails to pass the UserAuth requirements.

If you want the first option, to allow users to view content but not download it, I’d assume it would be more of an Nginx type thing or whatever you choose to use.

You need to serve your uploaded files through a controller, not plug static. You also need to persists metadata along side your uploads, for authorization purpose, like user_id, and more if You want a more granular access.

In the controller, You will be able to check who is allowed to access your data, and use send_download.

3 Likes

You can continue using Plug.Static by doing something similar as in this article.
We have recently done this in an app, create the static pipeline, then combine it with a plug that does the authentication.

  pipeline :static do
    plug :accepts, ["html"]
    plug MyAppWeb.Plugs.Authenticate

    plug Plug.Static,
      at: "/help",
      from: {__MODULE__, :pages_path, []}

    plug :needs_index
  end

  scope "/help", MyAppHelpWeb do
    pipe_through :static
    get "/*path", HelpController, :index
  end

the :needs_index plug just checks to see if we are asking for a path instead of a file, and tags on index.html.
The controller renders a 404, because we only get there if the file doesn’t exist.

1 Like

This is what I was looking for. I ended up having a controller that looks like this

defmodule MyAppWeb.DownloadController do
  use MyAppWeb, :controller

  @upload_storage_path Application.get_env(:my_app, :uploads_folder)
  def download(%{assigns: %{current_user: user}} = conn, %{"file_id" => file_id}) do
    actor = get_user(user)

    case my_app.Files.get_file(file_id, actor: actor) do
      {:ok, file} ->
        path = get_download_path(file)
        send_download(conn, {:file, path})

      {:error, %Ash.Error.Query.NotFound{}} ->
        conn
        |> put_flash(:error, "The file you are looking for does not exist.")
        |> redirect(to: ~p"/files")
    end
  end

  def get_download_path(file) do
    Path.join(
      Application.app_dir(:my_app, @upload_storage_path),
      Path.basename(file.storage_path)
    )
  end
end