I have a working membership site built in Rails 5.0.4 (puma / nginx / latest Devise). Among many other things, it streams .mp3 files to an in-browser player. The .mp3 files are in the rails asset pipeline and thus in production are placed in /public/somefolder and rails then relies upon nginx to serve those files directly.
This is all well and good, except that now anyone, even non-members, can figure out the URL to these .mp3 files and go get them at will without first logging in. I don't want this to happen. These are assets that must be limited to members only.
I have already toyed with the notion of moving the .mp3 files out of the asset pipeline and into a private folder and then serve them up via a controller. The problem I see with that is the load I imagine serving these files will inflict upon rails. I'd rather let nginx do what it does best...serve static files...if that's possible.
I have also considered solutions that serve up expiring URLs or obfuscated URLs but none I've seen would prevent someone from figuring out the direct URL to the file. So the ones I know of can all be somewhat easily defeated.
So, having said that, can anyone give me some idea of how to achieve what I want? Is there a way to limit access to nginx served (or for that matter CDN served) static files to only users duly logged in to a rails site such as my membership site? At this point I am open to suggestions...
