How do you limit file download to authorised users only, even if they have a direct link?
I am working on app with options to upload files and share them among users, but my challenge is that a user can access the file without signing in, if they have the link or file path. I want to limit file access to only those who are logged in so that I can control who can see what file.
How can I achieve that in Phoenix? An example would be helpful.
If you want the second option, then its pretty straight forward as you can just make authorized routes in the router.
If you run mix.gen.auth you will get something like the below in the router.
scope "/", AppWeb do
pipe_through [:browser, :require_authenticated_user]
live_session :require_authenticated_user,
on_mount: [{AppWeb.UserAuth, :ensure_authenticated}] do
Routes within the above scope will get automatically redirected if the user fails to pass the UserAuth requirements.
If you want the first option, to allow users to view content but not download it, I’d assume it would be more of an Nginx type thing or whatever you choose to use.
You need to serve your uploaded files through a controller, not plug static. You also need to persists metadata along side your uploads, for authorization purpose, like user_id, and more if You want a more granular access.
In the controller, You will be able to check who is allowed to access your data, and use send_download.
You can continue using Plug.Static by doing something similar as in this article.
We have recently done this in an app, create the static pipeline, then combine it with a plug that does the authentication.
pipeline :static do
plug :accepts, ["html"]
plug MyAppWeb.Plugs.Authenticate
plug Plug.Static,
at: "/help",
from: {__MODULE__, :pages_path, []}
plug :needs_index
end
scope "/help", MyAppHelpWeb do
pipe_through :static
get "/*path", HelpController, :index
end
the :needs_index plug just checks to see if we are asking for a path instead of a file, and tags on index.html.
The controller renders a 404, because we only get there if the file doesn’t exist.
This is what I was looking for. I ended up having a controller that looks like this
defmodule MyAppWeb.DownloadController do
use MyAppWeb, :controller
@upload_storage_path Application.get_env(:my_app, :uploads_folder)
def download(%{assigns: %{current_user: user}} = conn, %{"file_id" => file_id}) do
actor = get_user(user)
case my_app.Files.get_file(file_id, actor: actor) do
{:ok, file} ->
path = get_download_path(file)
send_download(conn, {:file, path})
{:error, %Ash.Error.Query.NotFound{}} ->
conn
|> put_flash(:error, "The file you are looking for does not exist.")
|> redirect(to: ~p"/files")
end
end
def get_download_path(file) do
Path.join(
Application.app_dir(:my_app, @upload_storage_path),
Path.basename(file.storage_path)
)
end
end