diff --git a/packages/rocketchat-file-upload/server/config/GridFS.js b/packages/rocketchat-file-upload/server/config/GridFS.js
index 99496bdae3f8..1dc16f697909 100644
--- a/packages/rocketchat-file-upload/server/config/GridFS.js
+++ b/packages/rocketchat-file-upload/server/config/GridFS.js
@@ -4,9 +4,6 @@ import zlib from 'zlib';
 import util from 'util';
 
 import { FileUploadClass } from '../lib/FileUpload';
-import { Cookies } from 'meteor/ostrio:cookies';
-
-const cookie = new Cookies();
 
 const logger = new Logger('FileUpload');
 
@@ -126,46 +123,15 @@ const readFromGridFS = function(storeName, fileId, file, headers, req, res) {
 	}
 };
 
-const onRead = function(fileId, file, req, res) {
-	if (RocketChat.settings.get('FileUpload_ProtectFiles')) {
-		let uid;
-		let token;
-
-		if (req && req.headers && req.headers.cookie) {
-			const rawCookies = req.headers.cookie;
-
-			if (rawCookies) {
-				uid = cookie.get('rc_uid', rawCookies) ;
-				token = cookie.get('rc_token', rawCookies);
-			}
-		}
-
-		if (!uid) {
-			uid = req.query.rc_uid;
-			token = req.query.rc_token;
-		}
-
-		if (!uid || !token || !RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)) {
-			res.writeHead(403);
-			return false;
-		}
-	}
-
-	res.setHeader('content-disposition', `attachment; filename="${ encodeURIComponent(file.name) }"`);
-	return true;
-};
-
 FileUpload.configureUploadsStore('GridFS', 'GridFS:Uploads', {
-	collectionName: 'rocketchat_uploads',
-	onRead
+	collectionName: 'rocketchat_uploads'
 });
 
 // DEPRECATED: backwards compatibility (remove)
 UploadFS.getStores()['rocketchat_uploads'] = UploadFS.getStores()['GridFS:Uploads'];
 
 FileUpload.configureUploadsStore('GridFS', 'GridFS:Avatars', {
-	collectionName: 'rocketchat_avatars',
-	onRead
+	collectionName: 'rocketchat_avatars'
 });
 
 
diff --git a/packages/rocketchat-file-upload/server/lib/FileUpload.js b/packages/rocketchat-file-upload/server/lib/FileUpload.js
index 933fad438551..3874f829c546 100644
--- a/packages/rocketchat-file-upload/server/lib/FileUpload.js
+++ b/packages/rocketchat-file-upload/server/lib/FileUpload.js
@@ -4,6 +4,9 @@ import fs from 'fs';
 import stream from 'stream';
 import mime from 'mime-type/with-db';
 import Future from 'fibers/future';
+import { Cookies } from 'meteor/ostrio:cookies';
+
+const cookie = new Cookies();
 
 Object.assign(FileUpload, {
 	handlers: {},
@@ -28,7 +31,16 @@ Object.assign(FileUpload, {
 				return `${ RocketChat.settings.get('uniqueID') }/uploads/${ file.rid }/${ file.userId }/${ file._id }`;
 			},
 			// transformWrite: FileUpload.uploadsTransformWrite
-			onValidate: FileUpload.uploadsOnValidate
+			onValidate: FileUpload.uploadsOnValidate,
+			onRead(fileId, file, req, res) {
+				if (!FileUpload.requestCanAccessFiles(req)) {
+					res.writeHead(403);
+					return false;
+				}
+
+				res.setHeader('content-disposition', `attachment; filename="${ encodeURIComponent(file.name) }"`);
+				return true;
+			}
 		};
 	},
 
@@ -156,6 +168,25 @@ Object.assign(FileUpload, {
 		// console.log('upload finished ->', file);
 	},
 
+	requestCanAccessFiles({ headers = {}, query = {} }) {
+		if (!RocketChat.settings.get('FileUpload_ProtectFiles')) {
+			return true;
+		}
+
+		let { uid, token } = query;
+
+		if (!uid && headers.cookie) {
+			uid = cookie.get('rc_uid', headers.cookie) ;
+			token = cookie.get('rc_token', headers.cookie);
+		}
+
+		if (!uid || !token || !RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)) {
+			return false;
+		}
+
+		return true;
+	},
+
 	addExtensionTo(file) {
 		if (mime.lookup(file.name) === file.type) {
 			return file;
diff --git a/packages/rocketchat-file-upload/server/lib/requests.js b/packages/rocketchat-file-upload/server/lib/requests.js
index 175397de6fdb..7a47c0496e81 100644
--- a/packages/rocketchat-file-upload/server/lib/requests.js
+++ b/packages/rocketchat-file-upload/server/lib/requests.js
@@ -1,11 +1,4 @@
 /* globals FileUpload, WebApp */
-import { Cookies } from 'meteor/ostrio:cookies';
-
-let protectedFiles;
-
-RocketChat.settings.get('FileUpload_ProtectFiles', function(key, value) {
-	protectedFiles = value;
-});
 
 WebApp.connectHandlers.use(`${ __meteor_runtime_config__.ROOT_URL_PATH_PREFIX }/file-upload/`,	function(req, res, next) {
 
@@ -15,43 +8,16 @@ WebApp.connectHandlers.use(`${ __meteor_runtime_config__.ROOT_URL_PATH_PREFIX }/
 		const file = RocketChat.models.Uploads.findOneById(match[1]);
 
 		if (file) {
-			if (!Meteor.settings.public.sandstorm && protectedFiles) {
-				let rawCookies;
-				let token;
-				let uid;
-				const cookie = new Cookies();
-
-				if (req.headers && req.headers.cookie != null) {
-					rawCookies = req.headers.cookie;
-				}
-
-				if (rawCookies != null) {
-					uid = cookie.get('rc_uid', rawCookies);
-				}
-
-				if (rawCookies != null) {
-					token = cookie.get('rc_token', rawCookies);
-				}
-
-				if (uid == null) {
-					uid = req.query.rc_uid;
-					token = req.query.rc_token;
-				}
-
-				if (!(uid && token && RocketChat.models.Users.findOneByIdAndLoginToken(uid, token))) {
-					res.writeHead(403);
-					res.end();
-					return false;
-				}
+			if (!Meteor.settings.public.sandstorm && !FileUpload.requestCanAccessFiles(req)) {
+				res.writeHead(403);
+				return res.end();
 			}
 
 			res.setHeader('Content-Security-Policy', 'default-src \'none\'');
-
 			return FileUpload.get(file, req, res, next);
 		}
 	}
 
 	res.writeHead(404);
 	res.end();
-	return;
 });