0

I'm studying different technologies to create an API for a multi plateform application. This application has to give the possibility to users to share a file with a friend without authentication, but the URL has to be unguessable so the file keep secret. Juste like sharing picture feature in google photos.

Spring boot is one of the most interesting framework to create a multi plateform API, but I'm wondering if it's possible to create a secret and unguessable URL.

Thank you for your time.

error
  • 926
  • 3
  • 10
  • 19
  • 3
    If you put a random UUID (128-bit hexadecimal String) in the path to get the resource, you can pretty much assume that people won't be able to guess them. – Jeremy Grand May 10 '17 at 13:15

1 Answers1

1

To answer your question : you can organize your URLs path with some random hard-to-guess part (eg https://hostname/fileshare/Zak/myVideos/295223cb464d4e4794b93a09a1c730fd) UUIDs are 128 bits data and pretty much standard.

Another way would be to add a checksum token in the queryString : https://hostname/fileshare/Zak/myVideos/lolcat.mp4?h=187515ZEDwhere the token is generated from the url path (and possibly even the queryString) with some secure algorithm (for exemple hmac256) and have your Controller (or better, a Filter) check if the h parameter is indeed equal to the hashed path.

EDIT : further explanation :

I'm assuming you've already got (or at least intend to have) a controller capable to serve content based on a file system directory. In my previous example, I assumed something of the likes /Zak/myVideos/. Spring controllers can easily return files in this directory by their filenames, but if the filename are easy to guess (eg video.mp4), I understand that /Zak/myVideos/video1.mp4 would be vulnerable. That's why I suggested to use UUIDs.

How to use UUIDS ?

If you can rename the files in /Zak/myVideos, simply rename them by random UUIDs and it will work transparently. The drawside to this is 1) the filenames won't mean anything anymore and 2) you're maybe not able to rename those files.

You can also have a DB table referencing filenames and UUIDs, and simply have your controller call a service to retrieve the correct filename from the correct UUID. The drawside to this is that you'd need to have a DB and write some code (and slow down API calls to query the DB).

That's why I also suggested to simply use a token. The url would still be the litteral path to your file, but require an additional parameter (the token) in the queryString. A servletRequestFilter could check whether the token is valid or not (with a simple hash + check algorithm) before granting access to the controller serving the file. This way, you won't need to rename your files nor create a DB.

Community
  • 1
  • 1
Jeremy Grand
  • 2,300
  • 12
  • 18
  • Thank you Jeremy but i was wondering if there is a native way to do it with spring. Like for example Spring Security for authentication and securing URL. – error May 10 '17 at 15:39
  • You can natively generate random UUIDs with java using `java.util.UUID.randomUUID()`, that's why i suggested it. As you did not explained how the files would end up on your server, I don't think I can help you any further in generating URLs. – Jeremy Grand May 10 '17 at 16:27
  • I think that using a token is better to give to users the possibility of revoking it after a delay. Thank you for your time Jeremy – error May 11 '17 at 09:41
  • Yes, you can actually put the logic you want behind the token. – Jeremy Grand May 11 '17 at 09:42