@Edward: that's a hybrid of my original idea (hashes in paths) and what I'm doing now...sending a file from a private directory via a route middleware authentication. Since I no longer rely on hashes for (in)security-by-obscurity, I can actually use any unique id in the url, like an on the fly integer enumeration. On Feb 18, 2012 8:48 AM, "Edward Smith" <[email protected]> wrote:
> I would put them in a directory not accessible by clients, and have node > route urls with specific hashes, for each file for each user. The route > could be something like /$user/download/$hash (anything with a $ in front > of it will vary based off of user). The combination of $user and $hash > should be stored in a database so you can find out if it is valid and what > file it should be. Then send the file. > > I have never implemented something like this, but this is how I would > probably do it. > > > On Fri, Feb 17, 2012 at 5:45 PM, C. Mundi <[email protected]> wrote: > >> This is obviously a solved problem. I don't want to reinvent the wheel. >> >> Imagine a digital music store. I have a set of static files which I need >> to serve only to authenticated users. So the set of accessible files >> depends on the user. How do I let each user get the files she is entitled >> to and no other files? >> >> Bad Idea 1: security by obscurity: hide the files behind query strings >> generated on the fly for session.user in the form of nasty looking hard to >> guess hashes. Ugly hack and vulnerable to brute force hash collision. >> Yuck! >> >> Bad Idea 2: set up an instance of node-static.Server() for each >> authenticated session, specifically serving a directory created on the fly >> for that session and containing symlinks to all (and only) files for which >> session.user has privileges. The main server would redirect requests for >> files to the ad hoc static server. Kludgus maximus! >> >> Good Idea: what you tell me. :) >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
