1

I’m working on a proof of concept for a personal project and am unsure how to go about handling ‘permissions’ on content that is uploaded into the application.

Problem: In this application users will be able to upload media/files onto the web server. Some content will be public, some content will require the user to be authenticated, and some content will only be shared with specific users (think social media/cloud storage).

I’m not sure how to go about implementing this in an efficient manner…

More information:

    UI      |   Comms   |  Web Server (Linux OS)
------------------------------------------------
Xamarin/web |   JSON    | .NET (mono) + MySQL
  • Assumption: You cannot send images via JSON, as such links to images/files are sent back and forth from the server.
  • RESTful architecture
  • Web Server will run on a Unix based OS (have been using Ubuntu so far)

Questions:

  1. How would I go about ensuring that unauthenticated users cant hotlink to images/files hosted on the server? (htaccess?)
  2. How would I ensure authenticated users cannot access images/files they do not have permission to? (i.e. via hotlinking)

Sorry if this is a silly question, i have very little experience with web based applications.

Improve this question
2
  • If you're serving the content /on/ html pages to the authenticated users i think it would come down to checking referrer tags to make sure requests are coming from your site. There's probably more subtleties to it but from what i understand this is the foundation of all anti-hotlinking systems out there…probably? Commented Mar 17, 2017 at 8:36
  • You can store the files in a folder that's not readable through the browser, or in the database, and use a route to return a blob with a content type after it has authorized the user. This probably isn't very efficient compared to serving from disk, but it's a pretty surefire way of controlling permissions. Commented Mar 17, 2017 at 9:29

1 Answer 1

Reset to default
0

After some further digging I did figure this out, I didn’t quite understand how HTTP request/responses and JWT works. Answering my own question encase it helps anyone else or if anyone can find issues in my logic.

Some background (tho i suspect the pattern is similar regardless of the technologies used); my web-server is using ASP.NET Core and is designed using a RESTful pattern. Once a user is authenticated on the server they receive an encrypted JWT token, this token must be provided to access endpoints that provide user specific resources (i.e images, private data).

The JWT token contains a claim that will allow the server to identify the path to the user’s personal data (this path is located on a non-public location which isn’t accessible externally). Once the token is validated the server will find the resource internally based on the claim and send back file as an image resource (example). This essentially means that the client cannot directly access an image on the web-server, the client must always request a resource from a specific server endpoint.

I suspect this is how other web api’s work based on inspecting the HTTP requests being sent/received for several sites such as Facebook/Foursquare.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.