Secure Media Library asset URL

t-davidson · January 7, 2021, 5:42pm

System Information

Strapi Version:
Operating System:
Database:
Node Version:
NPM Version:
Yarn Version:

I want to secure my media library library assets behind a JWT authorization. Any thoughts on the best way to have the Admin Tool media library and content builder use custom Image tags that would pass through a Bearer token in the header?

kouroshtajalliepour · January 7, 2021, 6:12pm

hi i dont get what your problem is my friend can you explane a little bit more about what are you trying to do ?

t-davidson · January 7, 2021, 7:14pm

Thanks for the response.
What I want to do is lock down the assets in the media library with JWT. They are hosted on S3 and they will require a Bearer token in order for you to access the asset. The S3 upload provider works well to upload the assets to this bucket easy enough. The issue I am having is with the Strapi Admin tool. It appears to me that both the media library and the content builder plugins use standard tags to display the images. I would like ultimately like to use a custom React component (or a better solution if there is one) to pass through the auth header in the image request.

kouroshtajalliepour · January 8, 2021, 9:55am

if you mean u want to protect your public assets something like /public route that if someone sends a request to it it would return an array with all of your media information like the image url this is something you can do and Strapi gives you the ability in the roles and permissions plugin . but i think you want to do something that your user wont be able to download an specific image or video without being authenticated or buying it . well unfortunately that is something you cant do . if there was a way to do that Hollywood would definitely do it. what your users see they can download as well . but if you want to prevent the unauthenticated users from seeing an image well you can lock the route that returns the content type with the image inside it.
let me know if I got it right . and if I did let me know if it was helpful or not <3

t-davidson · January 8, 2021, 6:59pm

Just to keep it simple is that yes I want to lock the route that returns the image assets stored in the media library. The question is what is the best way to customize the Strapi Admin Tool to pass along the credentials in the header of the image requests.

kouroshtajalliepour · January 17, 2021, 6:15am

hey im sorry to replay late i hope you have figured it out by now . the best way to lock the ROUTE would be in the settings/roles and that is something that is done by default . so that if a user sends a get request to /uploads it will return a response with a status of 403 . the get request to /uploads will return your whole media library . what you want is something you cant do. if i try to fetch /uploads/thespicificimage it will always return the image . but if you want to have some image private (for example you want to sell them) i suggest you create a content type that includes the image but the image is a private field that wont be returned in the api request . and then you can overwrite the find function for your content type so that if the user has payed for the image it should be returned in the api request . if you dont know how to do it i can explain how to do that as well