search

tus / tusd

Reference server implementation in Go of tus: the open protocol for resumable file uploads
https://tus.github.io/tusd
MIT License
2.92k stars 465 forks source link

[Question] Authentication for HEAD / PATCH #1117

Closed blmhemu closed 2 months ago

blmhemu commented 2 months ago

Question Thanks for moving the industry forward on the resumable uploads - tusd's hooks are well designed and quite useful.

The documentation mentions limited support for upload authentication.

Currently, there is no mechanism to ensure that the upload is resumed by the same user that created it.

This could be fine if the file urls are non-deterministic. But if we want to make the URL path deterministic, (say to avoid storing state at client side), then this assumption would not hold.

Is there a 'hook' for validating the PATCH and HEAD requests ? Can this be achieved programmatically with go middlewares ?

Alternatively, can we add "validate" hook for every type of request ?

Random Suggestion https://tus.github.io/tusd has really good documentation and should be referenced (frequently / significantly) at tus.io

Acconut commented 2 months ago

Work for such a hook, that checks access to an upload resource, has already began in https://github.com/tus/tusd/pull/1077. You can find a bit more context in https://github.com/tus/tusd/issues/669#issuecomment-1051924886 and I hope that we can finish the PR soon.

blmhemu commented 2 months ago

Awesome ! PR looks good (similar to what I mentioned, but in code) ! Please feel free to close this issue. :heart: