Controlling permissions for content on web server (pattern/architecture)

softwareengineering.stackexchange https://softwareengineering.stackexchange.com/questions/344320

Pregunta

I’m working on a proof of concept for a personal project and am unsure how to go about handling ‘permissions’ on content that is uploaded into the application.

Problem: In this application users will be able to upload media/files onto the web server. Some content will be public, some content will require the user to be authenticated, and some content will only be shared with specific users (think social media/cloud storage).

I’m not sure how to go about implementing this in an efficient manner…

More information:

    UI      |   Comms   |  Web Server (Linux OS)
------------------------------------------------
Xamarin/web |   JSON    | .NET (mono) + MySQL
  • Assumption: You cannot send images via JSON, as such links to images/files are sent back and forth from the server.
  • RESTful architecture
  • Web Server will run on a Unix based OS (have been using Ubuntu so far)

Questions:

  1. How would I go about ensuring that unauthenticated users cant hotlink to images/files hosted on the server? (htaccess?)
  2. How would I ensure authenticated users cannot access images/files they do not have permission to? (i.e. via hotlinking)

Sorry if this is a silly question, i have very little experience with web based applications.

¿Fue útil?

Solución

After some further digging I did figure this out, I didn’t quite understand how HTTP request/responses and JWT works. Answering my own question encase it helps anyone else or if anyone can find issues in my logic.

Some background (tho i suspect the pattern is similar regardless of the technologies used); my web-server is using ASP.NET Core and is designed using a RESTful pattern. Once a user is authenticated on the server they receive an encrypted JWT token, this token must be provided to access endpoints that provide user specific resources (i.e images, private data).

The JWT token contains a claim that will allow the server to identify the path to the user’s personal data (this path is located on a non-public location which isn’t accessible externally). Once the token is validated the server will find the resource internally based on the claim and send back file as an image resource (example). This essentially means that the client cannot directly access an image on the web-server, the client must always request a resource from a specific server endpoint.

I suspect this is how other web api’s work based on inspecting the HTTP requests being sent/received for several sites such as Facebook/Foursquare.

Licenciado bajo: CC-BY-SA con atribución
scroll top