2

I got my application written in Flask (Python 3.6) and running on EB.

I need to implement content editor which will allow to upload files on server and I would like to store them on s3. Most of uploaded files will be available on after login in my app.

Question is how to handle security of such files?

Should I use my application as middleware and check if user is logged and if so, then download file from S3 in my backend and return it to user as standard Flask response?

Or better idea is to generate presigned urls with expiration date?

Problem with presigned urls is that I will lose browser-side caching for my files, which I would like to keep (most of files are images, so it's unnecessary to redownload it every time).

Also second problem is that this url is not bind in any way with user logged in my app, so basically this presigned url can be used by anyone until it expires.

Right now I got legacy code implemented in first way:

Blejwi
  • 123
  • 3
  • 1
    Are all of the files intended to be accessible by any authenticated user, or does each user need access to a different set of files? – Michael - sqlbot Oct 05 '17 at 01:10
  • Unfortunately not every authenticated user has access to every file. Some of users don't have access to some parts of the system. – Blejwi Oct 05 '17 at 06:13

1 Answers1

2

Facebook does something similar to the "presigned URL" - their image CDN doesn't check for authentication, nor is it on the same domain so it can't even get the Facebook session cookie if it wanted to - instead they use the URL as a key (the URL is only ever shown to the authenticated user). It seems to be working out just fine for them so I don't see any issue with using that approach in your project.

André Borie
  • 12,706
  • 3
  • 39
  • 76