3

Situation: I run a Django app in the web, where logged-in users can also download .pdf files (non-public, with specific restrictions, depending on user rights). The most convenient way to do so (e.g. in S3) is to use a time-restricted, pre-signed URL because they open immediately in the browser, plus the app server does not have to handle additional traffic.

Problem: Backblaze B2 oviously does not offer an explicit method for creating presigned URLs to download non-public files directly in the browser. Generating the api URL and the authorization token, and fetching the file from the object store happens at the app server level and the process is not exposed to the "ordinary" user.

But in the end, the API operation "b2_download_file_by_name" just uses a GET request, which means I can add the authorization token to the request's URL using "?Authorization=123xyz........". This way I get a presigned URL that works perfectly fine in the browser to allow access to a specific non-public file for a limited time. (Please note: B2 downloads can be restricted to files with specific prefixes [like s3 pseudo-folders], but if the specified "prefix" is long enough, I can make the auth token specific for one file.)

Question: As I wrote above, usually the authorization token is not exposed to the user. Now, if I make the URL visible, does this imply a security risk? In other words, could a user that posesses one or many tokens, extract the general access key from the token, or is the token encrypted well enough to avoid this?

Gabriel Devillers
  • 3,155
  • 2
  • 30
  • 53
GeorgPhysio
  • 33
  • 4

1 Answers1

6

According to the documentation for the b2_download_file_by_name call you can use the download authorization in a URL in the way you describe.

An authorization token can be provided in the URL query string instead of being passed in the HTTP header. An account authorization token obtained from b2_authorize_account will allow access to all files in a private bucket. A download authorization token obtained from b2_get_download_authorization will allow access to files whose names begin with the filename prefix used to generate the download authorization token.

However it seems that the expiry time set in the b2_get_download_authorization call is being ignored so the resulting URL never expires which is not secure of course. I have a support ticket in with B2 about this so hoping for a solution.

Adrian Jones
  • 76
  • 1
  • 3
  • Did you ever get an answer for this? – Srivats Shankar May 28 '19 at 07:15
  • 1
    Hi Srivats. I still have an open ticket in with B2 about this. Are you seeing the same issue? I really hope they can fix it as their service looks good and has competitive pricing. – Adrian Jones May 29 '19 at 08:12
  • Unfortunately, no. From what I can gather they currently do not support this. I even went through version 2 of their API that was released recently. For the time being there would still need to be a server to proxy the request at the very least. But I will definitely drop an update if I hear anything. And I definitely agree, barring this one feature the price point makes the entire offer amazing! – Srivats Shankar May 29 '19 at 13:36
  • 2
    Just had an update from Backblaze support and they have just fixed the expiring link issue. Works exactly as it should now. – Adrian Jones Jun 28 '19 at 06:45
  • Wow! I will check this out. Will drop back if I see any update – Srivats Shankar Jun 28 '19 at 08:02
  • 3
    Just confirmed! The function `b2_get_download_authorization` now works as expected! The string expires as you require. – Srivats Shankar Jun 28 '19 at 08:15