Downloading/streaming files from JS frontend #148
Comments
|
I think the question here is not specific about downloading files but how to handle links to the backend that need authentication. The simplest way is as you propose to create a proxy in the frontend and to not have links to the backend at all. Although downloading directly from the backend would be more efficient. The other option would be to redirect to the frontend's login page. This is something that could be done in the JWT PAS plugin. |
|
True dat. We're going to try the proxy stuff. |
|
@jaroel closing the ticket now. Feel free to re-open if you do not agree. |
|
Adding @sneridagh's comment from #452 here: Impossible to retrieve private images and files from standard GET contents using the token auth Given an standard GET content from a file or image, it returns a download property with the URL of the API server e.g.: but accessing to the image by the browser itself throws a 401, since the resource should be accessed with the token header. You can workarround this by making the request via JS, but it feels highly cumbersome. |
tisto
changed the title
|
When an authenticated user makes requests to URLs like:
an |
|
If the API server is under the same URL, you can. In fact, I think it's the case with the latests additions to p.restapi. (I'll have to double check). But, you'll need to have the API server public too (and so the classic UI). The recommended way is to expose only the ++api++ traversal, as it has a lot of advantages and they are a lot of deployment scenarios where the first premise is not true. Also, by using the proxy your app is only using own server resources and it's easy to manage and to work with, as they are all flattened to one URL (the Volto/NodeJS server one). Also, you'll be relying on two means of authentication, the token one (for RESTAPI calls) and another for images/files/any downloadable resource coming from the backend, being both have to be sync'd. One could argue that the API calls (albeit the latest additions in matter of auth to p.restapi) also can be driven by a cookie, but it misses absolutely the point of the REST auth decoupling. |
@sneridagh I found a situation where, even though the api and the Volto are in the URL, this is not possible. I made the following configuration:
When we authenticate to Volto for the first time, two cookies are created. https://server/the-image/@@images/image can be accessed by the authenticated user. As stated above, the request to this image will be made directly in Plone. If I close the browser, without clicking in Volto exit button, and open the browser again, the In this situation, we are still authenticated since we still have the To avoid this situation, I redirected the So my question is. Why can't we access them, going straight to Plone, when we only have the auth_token cookie? |
|
@wesleybl As you describe, the presence of the old The purpose of As said before, I'd try to stick to the recommended way of work with Volto, which I think it does work in every circumstance if used Volto alone and it's battle tested during the last 5 years. |
|
@sneridagh the fact is that requests to |
So it's not Plone that understands the cookie |
|
@rpatterson your PR #1303 solves the |
|
There are lots of Volto sites, that presumably have no problem here, so I will remove the "blocker" tag (I am going through this list). Feel free to argue otherwise if you think this is a blocker that should hold up a final release or release candidate. |
Hi,
We're building our support system in react using plone.restapi. Now we need to stream large blobs from the backend to the end user.
Say I've got a PDF on /Plone/orgs/projecta/specs/specs_v23_final4.pdf . How would I go about in linking to that file?
I cannot embed the users JWT token in the url, as the enduser will share that link.
And please do not say "encode the file as base64/data uri". The file can be several GBs in size. :)
I could create a route /stream_blob, which acts as a proxy I guess?
The text was updated successfully, but these errors were encountered: