I'm working on a tool that will eventually allow users to purchase and download files from the web. I am wondering how to go about hosting the downloadable files safely/securely so that unauthorized users aren't able to download the files without purchasing them first.
Users would purchase the file from the website and then have access to the downloadable file for as long as they need.
This is a two part question:
- How can I go about making sure paid files aren't downloaded by unauthorized people?, and
- How should I handle the authentication for checking if a user can download a paid file?
For the first question, I am guessing that I store the files in a hashed directory name so that guessing would be near impossible? Would an S3 server be a good solution here? What concerns do I need to be aware of in this regard?
For the second question, I'm guessing that I can create a table in the database that stores purchases that associate a user to a file, like so:
purchases table
-> id
-> hash (unique purchase identifier)
-> user (foreign key)
-> file (foreign key)
-> ...other stuff here like timestamp, etc...
... and then using the application check that the user made the purchase, so the URL to the download would be:
http://www.example.com/something/download/sd9f7u23ihosd8087603/
...which would then search for a record that has the hash sd9f7u23ihosd8087603 and make sure it exists and that it is associated with the current user. Then from there, direct them to the file on the filesystem...
Is this a good way to go? Is there a superior solution? I'm sure I am missing details here...
The application is written in Django, if that has any bearing on the issue. Another note is that there will be both free and paid downloads available on the site.
Note: this question is similar to what I am asking: Having Django serve downloadable files
