search

BobbyWibowo / lolisafe

Blazing fast file uploader and awesome bunker written in node! 🚀
MIT License
317 stars 56 forks source link

Is there a way to restrict accessing files only to logged in users? #769

Closed DursyArts closed 2 months ago

DursyArts commented 2 months ago

Hello, i was wondering if there is a way that makes it so you can only view uploaded media when youre logged in. I mean can you just scrape through the whole sub.domain.tld/filenamexxx.png until you find something that doesnt throw a 404? I want albums that i dont explicitly set as public to not be viewed by people that arent signed in. I hope that makes sense and is somehow possible, im using the following nginx block:

# uploaded files location / { add_header Access-Control-Allow-Origin *; root /mnt/storagebox/lolisafe/uploads; try_files $uri @proxy; }

i havent changed a lot of things in the config.js file, but if you need something specific out of this i can provide that im just unsure what's important for that and what not.

and if it isnt natively supported are there workarounds?

greetings

BobbyWibowo commented 2 months ago

Sorry, unfortunately something like that would require overhauling the session system altogether.

In short, there's really no easy workaround. At best, you can only do some kind of nginx IP-based rate limit on the files' location block. Though that'll only slow scrapers a bit, and can't really handle netbot scrapers with multiple of IP addresses.

For the technical explanation, this fork's session system rely solely on the visitors manually providing an auth token in each of their requests (this is automated by the frontend). As such, there is no "session cookie".

So even if you serve files with Node, to have the ability to programatically check for login status, it just can't. When browsers are fetching your files normally, the auth token won't be shipped in the requests, because it's not a cookie. So even programatically it's not possible to check login status.

On that note, I believe upstream chibisafe, https://github.com/chibisafe/chibisafe, already transitioned to using session cookie. So something like that should be possible with some modifications, if not right out of the box. I haven't checked their codes in a while, but Pitu/Kana, its author, is typically active on their Discord if you want to ask more.