Protect /uploads/ folder for non-logged in users

System Information
  • Strapi Version: 4.10.5
  • Operating System: Windows Server 2019
  • Database: MySQL
  • Node Version: 18.13.0
  • NPM Version: 8.19.3
  • Yarn Version: -


I found this to protect my /uploads folder:

In the documentation they are talking about policyContext.state.user:

But when I am trying to use it then it returns undefined in:

const koaStatic = require("koa-static");
const { defaultsDeep } = require("lodash/fp");

const defaults = {
  maxAge: 60000,
  defaultIndex: true,
module.exports = (plugin, config) => {
  const { defaultIndex, maxAge } = defaultsDeep(defaults, config);

      method: "GET",
      path: "/(.*)",
      handler: koaStatic(strapi.dirs.static.public, {
        maxage: maxAge,
        defer: true,
      config: {
        auth: false,
        policies: [
          async (policyContext, config, { strapi }) => {  
			if (policyContext.state.user) { // if a session is open
				// go to next policy or reach the controller's action
				return true;

			return false; // If you return nothing, Strapi considers you didn't want to block the request and will let it pass
  return plugin;

Basically what I am trying to achieve is that the /uploads/ can only directly accessed if the user is logged in

I think the best solution is something like GitHub - beavis07/strapi-provider-upload-clamav-proxy: Strapi file upload virus and image sanitisation plugin
where you basicly add a proxy in between to deny the request if it does not come from the right place.