CFS: giving short-living token-controlled anonymous access for downloads

In our project we need to provide a ‘file sharing’ and ‘file downloads’ functionality. Like, authorized users (who are owners of files) wants to share file for their anonymous friends. The access is short-lived – say, 5-15 minutes or so. Ideally, the number of downloads should also be controlled, say, no more than three times.

We use CFS packages for file storage.

We thought that the ideal way for doing this is to generate token, save it to mongo, and embed this token into sharing link. BUT, in the ‘download’ allow/deny handler in CFS there is no access to request parameters – only userId and fileDoc.

We definitely want it to be meteor-centric solution (i mean, saving these tokens to nginx configs or whatever is not a good way). What can we do? Should we try to add new package to CFS ecosystem (that overrides/extends allow/deny handlers logic) or is there a one already?

And to say it again: we definitely want to stay inside CFS ecosystem.

Also, about file sizes. It can be anything from tens of KBs to 50-100 MBs.

Yes, i can create server-side route with Picker and control access there. But then i need to handle a lot of other stuff… like download ranges…