-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Private/Protected Files #215
Comments
That's correct - all files are considered public if the user have access to their url address. This recently was discussed in - #210. Yes, I'm planning to add support for private/protected files. I'll use this issue and will add it to the roadmap, but for now it is a low priority. Contributions are welcomed, but I'm not sure about the implementation details at the moment, so please feel free to share your idea before proceeding. What I had in mind was to have a new endpoint that users could request to generate a short-lived/one-time tokens and pass this token as a query parameter to the file url where in the file serving endpoint we'll have to check if the related file field is protected or not and whether the user has access to it. The access permissions could be defined as an optional input (similar to the collection API rules). Note that we cannot use an authorization header, because it is not sent when requesting the file in a |
If we had cookies for sesssion instead of token than this would become simpler to solve? |
@newbeelearn It depends from a lot of things. In order to pass the authorization token as cookie securely we will need to set at least the So while cookies could solve part of the problem they will also open a whole bunch of other issues that we'll have to take care. |
Agreed, I think a token is more apt. Nonetheless, a great question @newbeelearn! I am going to think a bit more about implementation details and poke around the code to get a better idea of how this may be accomplished. |
@bnert You could get a general idea how to generate the token and to restrict the file download action by following this example - #254 (comment) The example is using the event hooks, but ideally something like this will be integrated in PocketBase itself with the main difference that instead of checking a single specific profile field, we would check a file API rule but the general idea is the same. |
@ganigeorgiev, thanks for the reference. Really helpful! I'll have some time a couple weeks from now to take a deeper look and write out a design for this feature. |
If using an S3-compatible object storage, why not provide an option in the admin interface to use Signed URLs as the default? They could also provide an expiration time (or go with a 3600 second default). I know in Django the |
Hi,
|
@ferryhtw this likely won't do much because the requester will need to put the JWT in the header of the request and majority of the time requests will be initiated from an img tag's src attribute rather than using an http client like fetch. If there was some sort of token you could attach as a query string and use that to restrict access then that could work. Or it would be cool if Pocketbase could return the file names with some sort of signature (think Signed URLs). |
@ferryhtw Your hook is fine but it requires admin or auth record Private/protected files will be implemented in v0.13/v014. |
@ganigeorgiev - given 0.14 has now dropped, do you anticipate this to make it in 0.15? |
@cayoub88 Yes, it is planned for the next release (there are no ETAs yet). |
Support for private files is implemented in the It works with a short lived (~5min) file token passed as query param with the file url. The SDKs are also updated with a new const token = await pb.files.getToken()
const url1 = pb.files.getUrl(record, filename1, { token })
const url2 = pb.files.getUrl(record, filename2, { token })
... The changes will be shipped with the next v0.15.0 release (there are no ETAs yet). |
I recently discovered PocketBase (while learning SvelteKit) and am incredibly thankful! Related to this particular feature, I’m sure I’m missing something because I seem to have found a way to programmatically access private files without a token - so long as the API rule is respected. I’m working on building an image sharing app, and my desire is that only owners of an image as well as any authorized sharers can view the image. I have an images table where each row contains basic info like description plus a file field. And a When I first implemented this, the file field was unprotected. Thus when an image was displayed for a user, the url could be lifted from the browser and pasted anywhere for public access. However, I then tried protecting the field via the Pocketbase Admin panel, and everything works as I hoped: images still display for users - so long as they are an owner or sharer - AND if you now extract the url from the browser and paste into a browser url, it returns a 403 error. So, this is a long-winded way of asking why didn’t I need to go through the |
I don't understand what do you mean. A file being marked "Protected" ensures that only requests that satisfy the View API rule of the collection will have access to the file. |
As the title suggests, are private/protected files currently scoped for 1.0.0 release? I was playing around with the files API, and as of right now, it seems like once files are uploaded they are considered public, unless I have missed something in the docs.
If this feature set is not implemented, are you open to a contribution for this feature?
As an aside, thank you so much for this project. It is AWESOME! 😃
The text was updated successfully, but these errors were encountered: