Restrict file download

[mtrezza]

New Feature / Enhancement Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.

Current Limitation

(I think we discussed this issue already somewhere, but can't find where)

It is currently possible to download a file without being authenticated. Downloading a file should have similar restrictions to uploading a file. For example, it should be configurable that a file download is only available to authenticated users.

As long as file download is enabled for public (without auth required), a service could be misused as a file hosting service. For example, a user can create an account, upload a file as authenticated user, and then distribute the file download URL freely in public forums. Anyone would then be able to download the file. While it would be technically still possible to do that even if file download is restricted to authenticated users, it wouldn't be as easy as it is now.

Related:

• FR: ACL for Parse.File #7001
• beforeGetFile trigger #6572
• feat: add Parse.Cloud.afterFind(Parse.File) #7927

Feature / Enhancement Description

Add new Parse Server config options (similar to the file upload options) to restrict file download to:

• public
• anonymous user
• authenticated user

For example:

fileDownload: {
    enableForPublic: false,
    enableForAnonymousUser: false,
    enableForAuthenticatedUser: true,
},

Limitation: If the Parse Server file adapter is configured to send a direct URL (e.g. to the AWS S3 resource), then the developer has to implement their own mechanism to prevent that (e.g. via expiring download links which is already supported in the Parse Server S3 file adapter).

Example Use Case

n/a

Alternatives / Workarounds

Unknown whether there is a current workaround for that, maybe via triggers?

[parse-github-assistant]

Thanks for opening this issue!

• 🎉 We are excited about your ideas for improvement!

[Jaya-sys]

hey can you assign this issue to me I would like to work upon this

[mtrezza]

@Jaya-sys sure, if you are working on this, please open a PR and link it to this issue, so everyone can see that there is active development going on. (We don't use the "assign" feature on GitHub)

[dblythy]

How would this work? The files are served via a GET call, and browsers/clients do not pass in auth/cookies inline (such as via an <img> tag).

Would we need some sort of presigned URL algorithm similar to what exists in parse-community/parse-server-s3-adapter#117

[mtrezza]

and browsers/clients do not pass in auth/cookies inline (such as via an tag)

I think the Parse SDK would need to pass a session token in the header for file requests, just like with any other request. So this is a multi-part issue. One is the PR on Parse Server side; the other is a PR in each of the Parse SDKs. The Parse SDKs can always send the session token in the header, and Parse Server can ignore it, or require it, depending on the setting.

This may not be applicable for every use case. For example, if a browser requests image files because they are embedded via an <img> tag, then there won't be an auth header. The developer would need to implement their own image download logic to dynamically load the images after downloading them with the Parse SDK. But that's a whole different story and out of scope I'd say.

I remember discussing this exact point previously, unfortunately I can't find where.

[Jaya-sys]

@Jaya-sys sure, if you are working on this, please open a PR and link it to this issue, so everyone can see that there is active development going on. (We don't use the "assign" feature on GitHub)

Yes sure

[mtrezza]

I found the other related discussions:

• beforeGetFile trigger #6572
• FR: ACL for Parse.File #7001
• feat: add Parse.Cloud.afterFind(Parse.File) #7927

Reading through them again, I think one conclusion is that there are 3 features we can implement, each one being independent, i.e. they can exist in parallel and don't replace one another:

• a) Add a beforeGetFile trigger: this is a rather universal feature that would allow developers to implement a custom solution to restrict file download as long as Parse Server doesn't support it OOTB. For example a developer can allow file download only for authenticated requests and use the REST API to add an auth header. Parse Server needs 2 changes: add the trigger and validate the auth to pass the request.user in the trigger request object if a valid auth header is present.
• b) Add a file download restriction as Parse Server option similar to the existing file upload restriction option
• c) Add ACL for ParseFile

The features are in order of difficulty, I guess triggers (#6572) would be the easiest to implement.