Is it possible to remove the public access to the URL (https:///files//) that gets automatically created when I save a file to Parse? I would like to secure the access to these files but can’t quite determine how to go about this.
Thanks,
Frank
2 Likes
What is the file adapter that you are using? What is the rule you want to implement?
I’m using the default GridStoreAdapter so a couple of collections are automatically generated for the storage in my MongoDB (fs.files and fs.chunks).
I’m just trying to prevent someone from potentially guessing the file URL and accessing it via a web browser. The URL of https://myserver.com/files/myappname/....myfile.txt is just wide open for viewing and if the data happens to need to be secured this option won’t work.
Since there is a random component in the file name, it is really hard for someone to guess the file name. There is no built-in solution to add protection layer to these files. How would you want to differentiate the user that has access to the one that does not have? You can try to write an Express.js middleware in order to add some custom logic. One idea could be the generation of temp links.
Thanks. That makes sense and I figured that would be the case. I’ll try a different approach or add the middleware option.
How would you feel about a secureFileOption in parse server config, which enforces X-Parse-Session-Token to match with a _File object saved in the DB with ACLs?
For this option, there would have to be a .getData() function for the SDKs (as you’ve mentioned, accessing the URL wouldn’t work as headers wouldn’t get passed through), which returns a base64 string from the server to be rendered as an image / file.
The .getData function would only return fileData if session, ACL, CLP, etc are validated.
Or, maybe even a temporary token passed to the url, that expires 5 min after each time the Parse.File is requested.
1 Like
I have discussed some ideas with @cbaker6 on how to improve the files security. Basically we have two different ideas:
- generate temporary links for certain files
- verify session token in the getData function for certain files (it would not work for s3 adapter when directAccess is set to true)
I personally prefer serving files directly from S3 bucket. Implementing session token for files will require files to be proxied by parse server which is an extra load-headache for server.
I personally try to keep file url secure first. If user is able to get file url then let them see.
Also if you plan to proxy all files through parse server, then maybe a file trigger would be great. Like beforeGetFile, afterGetFile … just an example
What do you think about encrypting the image under the link with the parent objectID as key (user profile id for example)? The encryption would happen on the client side before uploading…
That way even if someone would guess the direct URL, he would access the encrypted image and she would see nothing. Only the real user accessing it through app would know to what user/object ID it belongs and therefore would know encryption key. The encryption itself does not need to be extremely secure and costly (depending on your needs)…
1 Like