Secure /uploads file

How to enable authenticated access only for files uploaded in /uploads folder?

This topic has been created from a Discord post (1226849199421657138) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord

Have you had a look at Roles for the user and authentication plugin?

the files themselves? not really possible as it would require proxying those files through the strapi application to layer authentication on them.

Yeah, we have RBAC but we can’t connect our auth guard to it

Yes <@211722558385553408>. We wanna add an authentication layer to files itself.

The only solution here is to proxy all requests of /uploads/* via nginx to one of our controllers to check authentication?

Ehhhh Strapi was not really built to do that, your really need a DAM solution for stuff like that (Digital Asset Management system).
With some providers you can enable the private bucket support (S3 compatible upload providers) which can issue signed URLs but completely locking down the assets is not really going to be easy nor advised.

What kind of files are you storing, why do they need auth?

Right, I think I undesrtand the question now.
I built a wrapper object for each upload. I have a middleware in place ehich runs everytime an upload is created. So this is assigned to an owner.
When retrieving uploads I have a policy in place to look up the asset and the owner.
It is really painful but it is the only way I found to solve this issue.

That doesn’t protect the file <@789522672098607115> it protects the API record for it

given this example is for S3:

That’s how Strapi works right now, you can auth the endpoints but not the files themselves when you fetch them, to do that you’d need to do something like this:

for the vast majority of users this solution is far from optimal because it completely makes CDNs pointless which is why if were ever to implement this (unlikely) it wouldn’t be default as it would massively increasing performance cost and decrease asset loading speed

We’re not allowed to use 3rd-party cloud storage, we can only store the files in the server itself that’s why we’re using local upload provider for this

We’re storing IDs and Selfies of users for KYC <@211722558385553408>

Is the proxy via nginx is a sound solution for this? <@211722558385553408>

Not that I’m aware of no, nothing that would be even remotely easy.