Skip to content

Best way to add authentication to file retrieval? #3887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
davidrichard23 opened this issue May 31, 2017 · 4 comments
Closed

Best way to add authentication to file retrieval? #3887

davidrichard23 opened this issue May 31, 2017 · 4 comments

Comments

@davidrichard23
Copy link

I'm creating an app that requires HIPAA compliance. My issue is that while the Parse Objects containing references to the images are secured by their ACLs, the images can be accessed by anyone if the filename is known/guessed(very unlikely but possible).

I understand that for most applications this is secure enough, but for HIPAA compliance, I think those images need to be only accessible by authenticated users with the permissions required to access the referencing object.

Now I don't have much knowledge of the code base, but I'm planning on creating a PR for this. Here's what I've come up with:

  1. Add a new boolean config option called authenticatedFileRetrieval or something
  2. In FilesRouter.js change router.get('/files/:appId/:filename', this.getHandler); to router.get('/files/:appId/:filename/:referencingClass?/:sessionToken?', this.getHandler); or use query parameters for the optional params. I'm not sure which would be more appropriate.
  3. in getHandler() if authenticatedFileRetrieval == true query the referencingClass using the sessionToken
  4. If the query returns the ACL secured object, continue as normal. If not, throw an error.

Maybe there's a better way to accomplish this? Or maybe someone can convince me that this isn't needed? Any input would be appreciated!
@dplewis
Copy link
Member

dplewis commented May 31, 2017
edited
Loading

+1 I also need this for HIPAA Compliance.

@davidrichard23 davidrichard23 mentioned this issue Jun 1, 2017
Closed
@zeekhuge
Copy link
Contributor

+1 Would be a really useful feature.
@davidrichard23 I see your pull request and I found a short description about the tests - https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#run-your-tests-against-postgres-optional

Also, it looks like the tests should be added to parse-server/spec/
Maybe @dplewis can help on this ? He's been contributing to the project.

@dplewis dplewis mentioned this issue Mar 23, 2018
Closed
@somq
Copy link

somq commented Jun 25, 2018
edited
Loading

@dplewis Did this come up somewhere ?
Is there finally any commonly accepted solution or workaround to be able to add auth to file adapters?

@stale
Copy link

stale bot commented Sep 18, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Sep 18, 2018
@stale stale bot closed this as completed Sep 25, 2018
@parseplatformorg parseplatformorg mentioned this issue Sep 19, 2023
Closed
@skmezanul skmezanul mentioned this issue Sep 19, 2023
Open
@parseplatformorg parseplatformorg mentioned this issue Sep 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidrichard23 @zeekhuge @dplewis @somq