Secure Asset/Media Folder through Auth Controller ? Laravel 5.2

Question

I have public/Asset/Media/folder

I can access this file publicly like below.

http://localhost/myapp/public/Asset/Media/1/phpunit.xml

Similarly there are other folders in the Asset/Media folder which are being created on the fly.

There are many files also present in those sub folder and are also present in Asset/Media folder

Is there any way, such that if I try to access any file in Asset/Media folder or any file present in the sub folder of Asset/Media folder, I should be redirected to login page because authentication is not done?

I meant, can i use Auth Middleware to secure this folder? if so, Is it a valid approach if we have to access the files from a Android App?

Answer 1

If you want to secure files, they need to go through Laravel. Accessing the file as you do (using the full path) does not go through Laravel. You can achieve this by creating a route:

Route::group(['middleware' => ['auth']], function () {
    Route::get('/secure/file/{file_name}', 'FileController@file');
}

Then, create a Controller to access the file so that you can use Auth to check for permission to access. It also means that you should put the file in an inaccessible location and use the Laravel Filesystem to access the file using PHP:

class FileController extends Controller {
    public function file()
    {
        return Storage::get('path/to/phpunit.xml');
    }
}

Answer 2

Laravel 5.2 has introduced HTTP Middleware, i would advise you to do it.

https://laravel.com/docs/5.2/middleware#middleware-groups

this thread might help you to get it to work...

Laravel 5.2 Auth not Working

Answer 3

Use the route below for it:

Route::get('/myapp/public/Asset/Media/{id}', function ($id) {
    if (Auth::guest()){
        return Redirect::guest('login');
    }else{
         $img="/myapp/public/Asset/Media/".$id;
            if(File::exists($img)) {
         return Response::make($img, 200, array('content-type' => 'image/jpg'));
            }else{
                return false;
            }
})->where('id', '.+');

Answer 4

My sample url is here:

http://domainname.com/storage/Asset/Media/1/filename.txt

My route

Route::get('/storage/Asset/Media/{ID}/{file}', array(
    'as' => 'Files',
    'uses' => 'User\Account\Media\MediaController@DownloadMedia',
));

Controller Action Method

public function DownloadMedia($ID) {
    $headers = array(
        'Content-Type'        => 'application/octet-stream',
        'Content-Disposition' => 'attachment; filename=somefile.txt"'
    );

    return response()->download(base_path("storage/Asset/Media/1/somefile.txt"));
}

Here important thing is I can use application/octet-stream to download any file type.

Answer 5

File in public folder will be accessible to everyone beacause of rewrite rules used by Laravel, Laravel won't even be called when someone access a file in the public folder.

So, you must put your restricted files somewhere else, maybe in storage folder but ultimately it doesn't matter.

After putting all your Asset/Media folder into the storage folder and updating your code who create your folder on the fly (How storage works).

Create a FileController :

PHP

class FileController extends Controller {
    public function __construct() {
        $this->middleware('auth');
    }

    public function downloadFile($filename) {
        return response()->download(storage_path($filename), null, [], null);
    }
}

The configure this route :

Route::get('file/{filename}', 'FileController@downloadFile')->where('filename', '^[^/]+$');

That's it, now only your authenticated user would be able to download asset files thanx to the middleware auth, that will also work for android app.