I’m using filepicker.io with a Meteor application and am working on security for my application. Filepicker provides support for creating and signing policies but with the server side of Meteor I feel like creating expiring policies for each user requesting a file is overkill.
What I would like to do is provide the user an indirect link to a file. The server intercepts this request with a server side route (iron-router), the server then checks if the user has permissions for the file via a Files collection with metadata about said file.
As I have it now, If the user has access I would provide them a file link with the signature and policy as parameters to that link. Instead I would prefer to only return the image or file asset and no link at all. E.g. the server side would access the file or image over a link that only the server knows, but the server would stream that file or image to the client without sharing the actual link to the file.
The intended code looks something like the following, where I don’t really know what to do at the end:
@route "file",
path: "/file/:_id"
where: "server"
action: ->
if @request.cookies.meteor_login_token
user = Meteor.users.findOne(
{"services.resume.loginTokens.hashedToken":
Accounts._hashLoginToken(@request.cookies.meteor_login_token)}
)
if user
# the files collection has metadata about each file
# these files are uploaded through filepicker
# this include file.url which is the actual link
file = share.Files.findOne(
{_id: @params._id, accessibleBy: user._id}
)
if not file
@response.writeHead(403)
@response.end()
return
else
#return the file/image from filepicker,
#e.g. file.url without actually returning the url
@response.end()
Can this be done, and if so how? I also posted this question to stackoverflow if anyone would like the solution to be marked there.