Closed rivernews closed 2 years ago
https://localhost:8000/api/...
. Should not be https - use http
instead.
https
.localhost
in the url.<img src="..."
the way image is loaded really can't altered, then we need to use a image url format such that host name, http scheme will not get included. Because these could change based on the environment. If we are in DEBUG mode, and we upload image, the editor content will store <img src="http://localhost..." />
which is not right. But if we stick to rule - no upload in DEBUG mode, then perhaps we can use image_url
format of "${frontendDecideHostBase}/api/private-image/id=${POSTresponse}". But when you display, those image would be <img src="https://appl-tracky..."
which is actually hitting the production server, not the DEBUG server. There would be inconsistency.Imagine - what would be the right way?
<img src
- what to store in src
?
/api/private-image/id=...
- then you need to make sure frontend & backend are same origin, which we're not.iriversland-spa
did it? Because they use public S3 bucket!Seems that, maybe disallow uploading image in DEBUG could be a good compromise.
So, just for development purpose, we tried using http://localhost...
as the image url and the src.
<img src...
GET request is handled by browser, and browser by default does not attach JWT.I wonder how the industry do it. Keyword="sign image src browser how to authenticate jwt". Blogger, etc - how they do it?
We'll use a less secure method but it'll be enough for naive suspicious behavior.
<img src... >
be consistent, while routing the image access traffic through our server so we have more control over it.
<img src=... >
will work. In the future, we can add in auth by letting frontend change to session auth, or at least add session auth on top of JWT auth.
First of all, we need to know how S3 presigned URL works.
Seems like we found a way:
<img src="managed_url" />
<img />
elementDjango-storage
with its support withFileField
, as long as the response is not a url string. Use this post to implement the classPrivateMediaStorage
, and see in view if you can return a file response. See this SO for including username into the file url.