1

I have a bunch of audio files that I want people to be able to listen to. My website has an audio player so that people can listen to them. My audio player looks something like this (though this is simplified):

<audio>
    <source src="https://storage.googleapis.com/my-bucket/my-file.mp3">
</audio>

The problem is that it would take almost no work for someone to just grab all of those MP3 urls and download the files.

Is there a way that I can make it so that it's only accessible for streaming, but not for downloading?

How do sites like SoundCloud handle this problem?

For example, SoundCloud lets you play people's songs. However, when I look in Firefox's Network tab I see that when playing a single song it's sending many requests to different MP3 files such as:

/media/3831430/3943025/c9OpfFFp3iYQ.128.mp3
/media/3192789/3352448/c9OpfFFp3iYQ.128.mp3
/media/3033128/3192788/c9OpfFFp3iYQ.128.mp3

Does anyone know what type of system they have going on there? Is this a common anti-piracy pattern for MP3 files that I could, perhaps, implement?

Pete
  • 7,289
  • 10
  • 39
  • 63
  • 2
    Without deploying authorization, you can only make it harder, but you cannot stop users from being able to download public files. The fact the files contain music makes no difference. Streaming is downloading. – John Hanley Apr 02 '21 at 21:01
  • I'm okay with just making it harder. What would be an example of making it harder? – Pete Apr 02 '21 at 22:05
  • 2
    Search on Stackoverflow. This question has been asked many times. "Harder" is a relative term. No matter what you did, I would just turn on the Chrome debugger or Wireshark and see the URL in 30 seconds. – John Hanley Apr 02 '21 at 22:19
  • Ehh...that's hardly a helpful answer. I've definitely spent some time searching already and come up empty. Also, "harder" is actually objective in this case, since we have a fixed comparison point. If the answer is that no matter what I do you can always download via the Chrome debugger, then the objective answer is that it's not possible to make it harder. If you're familiar with many other duplicate questions you could suggest closing this one as duplicate and link to the duplicate question. – Pete Apr 02 '21 at 23:30
  • 1
    I did not provide an answer. I offered a comment. – John Hanley Apr 03 '21 at 00:30
  • John pretty much said everything about there being no difference between streaming and downloading objects in Cloud Storage. Additionally I have found this information in this question [1]. How about using signed urls [2] with a short expiration time? This other answer [3] contains some options about video streaming without allowing someone else to download the content. [1] https://stackoverflow.com/questions/35949662/video-streaming-from-google-cloud-storage – Antonio Ramirez Apr 06 '21 at 14:17
  • [2] https://cloud.google.com/storage/docs/access-control/signed-urls [3] https://stackoverflow.com/questions/16820483/can-i-make-a-video-stream-not-downloadable-by-using-tricks-inside-the-code – Antonio Ramirez Apr 06 '21 at 14:17

1 Answers1

2

I was hit by the same problem, and I secured my storage bucket from the world by creating a middleware/pass-through service. Now this service has token validation of header and thus wont let your stream until you are authenticated. I used node pipe to achieve this, I hope this help. Here is sample code in js.

const http = require('http');
http.createServer(function(request, response) {
  require('request')
  .get("https://gcpmusicbucket.com/mp3/My-Song-1.mp3")
  .pipe(response); 
})
.listen(3000)
Dharman
  • 30,962
  • 25
  • 85
  • 135
vizsatiz
  • 1,933
  • 1
  • 17
  • 36