.fluid() doesn't accept token as option for WebProxy sources

[bbuchalter]

Without specifying a token for .fluid(), Imgix returns 400s for WebProxy sources.

[jacktasia]

Thanks for reporting this. I'll have a fix out for this soon.

[bbuchalter]

@jacktasia that would be incredible. I've got a production feature on hold for this! :)

[jacktasia]

Hi @bbuchalter

I just released version 1.0.10 of imgix.js. This release provides support for a token property being passed to imgix.fluid. When this is set the URLs are automatically signed. Please see the CHANGELOG for more details.

Thanks again for reporting this issue and please let me know if you have any issues/questions going forward.

[bbuchalter]

@jacktasia thanks for the super fast turn around. Just realized something....it's probably a bad idea to place my "secure token" into client side JavaScript....right?

[jacktasia]

Good point @bbuchalter. I meant to bring this up in my last post. With a WebProxy source it is not a good idea since people could use that to proxy their own images through it.

That said, if a secured Web Folder source could work for your situation then, while still not ideal, it could be an acceptable practice assuming your reason for signing your images was to stop unnecessary renders (and not to stop exposing the original high rez image). Since in that (Web Folder) case there's really no difference between having an unsecured source and having an exposed token on a secure source. It would at least stop the casual user from causing additional renders. Additionally if the token wasn't hardcoded and generated in minified code where it was never easily exposed then it would probably stop all but the most determined attacker. Again, a WebProxy source would be a significantly more attractive target.

So I would definitely recommend moving to a secured WebFolder source if possible. Let me know if you any other questions or issues. Thanks!