1

I have to build a project where users will login and upload some images and videos, and it should be such that the files uploaded should only be visible by the uploader or the site admin.

I main Node.js, so i tried using express middle wares to restrict the media files by user, but it came to my notice that this isn't the best way to handle this as express isn't good at rendering static content.

Here are some options i can think of after some google sessions

  • Amazon S3 bucket where each user gets their own folder/permissions and files no into this (but are the files truly private when we have a url)
  • Generate a temporary URL of the files using pre-signed URLs from S3 bucket ( the file will be public for 20 min, i don't want this)
  • Restrict access on Nginx ( again i don't know if Nginx can access the database and authenticate the request it got)
  • Use GridFS with mongoDB? (i will probably not use this, but wanna see if this can be a solution)

is there any other way to do this?

Syed Faizan
  • 901
  • 3
  • 14
  • 28
  • Your content is not static if it depends on who is logged in. The simpliest way is to write your own code that checks privileges and then loads the file from the disk. There's nothing wrong in writing your own file loading code in node.js or any other language. You should worry about performance **only** when it becomes an issue. – freakish Dec 22 '16 at 16:48

2 Answers2

1

The most elegant way would be to politely ask them to refrain for accessing other people content.

I'm not sure it would be the most effective way, though.

Seriously, though, I would suggest using express.static middleware together with Passport or something to implement authentication and permissions. You're not "rendering" any static content here. You're just streaming files straight from the disk.

rsp
  • 107,747
  • 29
  • 201
  • 177
  • can `express.static` manage the load even when the users are in a couple of thousands? (not simultaneously tho) – Syed Faizan Dec 22 '16 at 20:15
  • @syedfaizan I don't see why it couldn't. See [this answer](https://stackoverflow.com/questions/40788599/how-many-client-does-http-server-can-handle/40789071#40789071) where I did some tests with `http-server` and I got 10000 **simultaneous** connections with no problems. I don't think `express.static` would be any different here. – rsp Dec 27 '16 at 18:28
1

Each user is given a unique ID where content (files & videos etc) is referenced in part by this ID such that clients are given access only to their ID content

User logs in, nodejs pairs that user with their unique ID as retrieved from mongodb. No need to offload this to nginx. Where you stow the content is independent of this logic. Could be a local filesystem, mongo, S3, etc ...

Avoid putting username or ID into any URL, its redundant, server maintains this knowledge internally. No need to muddy up URL. For example Amazon AWS has this URL when I interact with my private content

https://console.aws.amazon.com/route53/home?#resource-record-sets:ZAHKXPA7IKZ8W

See it just shows the content ID which is unique to my username's resources. Goal is to minimize clutter in URL.

Alternatively, in the world of sharing resources, like on flicker, here the URL does give username and resource ID https://www.flickr.com/photos/okinawa-soba/31419099190/in/photostream/ In your case even if someone picks up the URL of another's content the server must reject since its not authorized to muck with another's content

Scott Stensland
  • 26,870
  • 12
  • 93
  • 104
  • that works too... what if the url looks like `/:username/:filename` and i configure a `GET` route and add a middleware checking the session and also the username in the route(same as session). that should work fine too right? – Syed Faizan Dec 22 '16 at 20:18