asset-rack icon indicating copy to clipboard operation
asset-rack copied to clipboard

Published 20 hours ago verified publisher icon techpines

Serving Private Images from S3.

Open saransh2012 opened this issue 11 years ago • 4 comments

I want to use S3 to serve user's private images from s3. I know thats kind of possible. But what I want to how can I authenticate the user before serving him these images. One more thing I want to clarify regarding how assest-rack works. I want to know when the files are served from S3. Are they stored anywhere in the server(in my case it would be EC2). If they are stored in temporary files or something I would like to know.

saransh2012 avatar Jul 08 '13 06:07 saransh2012

I'd like to add this feature. Currently they are all public.

Here's the offending line:

https://github.com/techpines/asset-rack/blob/master/lib/rack.coffee#L157

Might just need to add an option to make them private.

One thing to note is that if the url has the md5sum attached then it is fairly well obfuscated for a lot of use cases.

techpines avatar Jul 12 '13 14:07 techpines

Yeah...I agree that md2sum attached helps, but still I would like to be able to make custom authentication before allowing access. Can't you declare something similar to a middleware that runs before the asset-rack takes over?

saransh2012 avatar Jul 13 '13 15:07 saransh2012

So you can use express middleware to authenticate to assets in asset rack. Asset rack itself is just express middleware.

But that is all besides the point. If you have a lot of user images which it sounds like you do, and that these images are really more like data for your application then you would be better off storing them on S3 and then storing a reference to them in your database. Then pull them down and push them up to S3 using the amazon aws-sdk for Node.

techpines avatar Jul 13 '13 17:07 techpines

I'm the one who recommended Asset Rack at http://stackoverflow.com/questions/17516820/serving-files-stored-in-s3-in-express-nodejs-app . What I should have made more clear is to look at Asset Rack as an example of how to implement fingerprinting to have all images be able to be cached permanently. But if you want images to only go to properly authenticated users (rather than relying on some form of security through obscurity, as Facebook does with random photo URLs), than you will want to put Express and something like everyauth or passport in between you and S3. I recommend using Knox for storing the files, and not allowing the files to be publicly readable. And I would implement fingerprinting just like Asset Rack does here: https://github.com/techpines/asset-rack/blob/master/lib/asset.coffee#L200

dankohn avatar Jul 14 '13 01:07 dankohn