I have done a lot of searching and I am struggling with coming up the best way to serve images to users who are a member of specific group, while protecting those images from other users/non-users.Using node/express/mongodbFor example:User0, User1, and User2 are members of GroupA.GroupA is collection of images/other data.User0, 1, 2 should be able to upload images to this group, and also fetch them, but the paths to the images should not be made public and/or viewable to outsiders.I'm not sure of the most efficient way of doing this. My current idea is to do it as such:User0 uploads an image to the group. The relative path of the image on the server is saved in an object with an id in the DB along with the other group data.User0 makes a GET request to the server for that groups data, the user gets back a JSON response of the groups data, but instead of a direct path to the image, gets the API endpoint to fetch the image. For example '/api/:groupid/:imgid'A request to '/api/:groupid/:imgid' will validate that the user is permitted to view that image, and the image is sent back using 'res.sendFile'Does this seem like the correct approach? It feels a bit cumbersome/awkward to me. Is there a more elegant way of doing this?Thanks!
Submitted September 06, 2018 at 06:12AM by ebawho
No comments:
Post a Comment