Ooh. I missed that. I will look at connect's static. Somebody really ought to write a book on this stuff, but the book would have to be huge! On Feb 18, 2012 11:12 AM, "tjholowaychuk" <[email protected]> wrote:
> connect's static() has security stuff built-in, so you can just use > the session and a small middleware before static() to determine via > database etc if they're allowed to access that file > > On Feb 18, 10:07 am, Avi Deitcher <[email protected]> wrote: > > Played trivial pursuit with the kids today, it came up, I got the answer! > > > > > > > > > > > > > > > > On Sat, Feb 18, 2012 at 8:05 PM, C. Mundi <[email protected]> wrote: > > > @deitcher: yeah. That's where I'm headed now. I really messed myself > up > > > looking for something complicated when all I needed was to send a file. > > > BTW...Dylan is always a good example. :) > > > On Feb 18, 2012 10:04 AM, "deitch" <[email protected]> wrote: > > > > >> Yeah, I would do that. However, I would not store the files that way, > > >> because what if one file (dylan.mp3) is accessible to three users? So > > >> I would do > > > > >> Files: /some/private/dir/music/files/dylan.mp3 (or some other naming > > >> convention) > > >> Path: /downloads/:user/:musicfile > > > > >> You *cannot* get to /some/private/dir/music/files/ directly by URL, > > >> only to /downloads/:user/:musicfile, which first checks that the user > > >> is authenticated to /downloads/:user, then checks if :musicfile is > > >> allowed for user, and if it is, then fetches the file from its true > > >> path. > > > > >> On Feb 18, 3:57 am, Edward Smith <[email protected]> wrote: > > >> > I would put them in a directory not accessible by clients, and have > node > > >> > route urls with specific hashes, for each file for each user. The > route > > >> > could be something like /$user/download/$hash (anything with a $ in > > >> front > > >> > of it will vary based off of user). The combination of $user and > $hash > > >> > should be stored in a database so you can find out if it is valid > and > > >> what > > >> > file it should be. Then send the file. > > > > >> > I have never implemented something like this, but this is how I > would > > >> > probably do it. > > > > >> > On Fri, Feb 17, 2012 at 5:45 PM, C. Mundi <[email protected]> wrote: > > >> > > This is obviously a solved problem. I don't want to reinvent the > > >> wheel. > > > > >> > > Imagine a digital music store. I have a set of static files > which I > > >> need > > >> > > to serve only to authenticated users. So the set of accessible > files > > >> > > depends on the user. How do I let each user get the files she is > > >> entitled > > >> > > to and no other files? > > > > >> > > Bad Idea 1: security by obscurity: hide the files behind query > strings > > >> > > generated on the fly for session.user in the form of nasty looking > > >> hard to > > >> > > guess hashes. Ugly hack and vulnerable to brute force hash > collision. > > >> > > Yuck! > > > > >> > > Bad Idea 2: set up an instance of node-static.Server() for each > > >> > > authenticated session, specifically serving a directory created on > > >> the fly > > >> > > for that session and containing symlinks to all (and only) files > for > > >> which > > >> > > session.user has privileges. The main server would redirect > requests > > >> for > > >> > > files to the ad hoc static server. Kludgus maximus! > > > > >> > > Good Idea: what you tell me. :) > > > > >> > > -- > > >> > > Job Board:http://jobs.nodejs.org/ > > >> > > Posting guidelines: > > >> > > > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > > >> > > You received this message because you are subscribed to the Google > > >> > > Groups "nodejs" group. > > >> > > To post to this group, send email to [email protected] > > >> > > To unsubscribe from this group, send email to > > >> > > [email protected] > > >> > > For more options, visit this group at > > >> > >http://groups.google.com/group/nodejs?hl=en?hl=en > > > > >> -- > > >> Job Board:http://jobs.nodejs.org/ > > >> Posting guidelines: > > >>https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > > >> You received this message because you are subscribed to the Google > > >> Groups "nodejs" group. > > >> To post to this group, send email to [email protected] > > >> To unsubscribe from this group, send email to > > >> [email protected] > > >> For more options, visit this group at > > >>http://groups.google.com/group/nodejs?hl=en?hl=en > > > > > -- > > > Job Board:http://jobs.nodejs.org/ > > > Posting guidelines: > > >https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > > > You received this message because you are subscribed to the Google > > > Groups "nodejs" group. > > > To post to this group, send email to [email protected] > > > To unsubscribe from this group, send email to > > > [email protected] > > > For more options, visit this group at > > >http://groups.google.com/group/nodejs?hl=en?hl=en > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
