Is there a way to request bucket specific read scope?

Question

I'm trying to find a way to restrict the access to each of the buckets in my application. The goal is to prevent users to access objects from other buckets other than the one which is "assigned" to them.

In short the app assigns a bucket for every user to store objects within and I want to prevent users to access buckets which are not meant to be accessed by them.

I guess a request could look like this:

curl -v 'https://developer.api.autodesk.com/authentication/v1/authenticate'
  -X 'POST'
  -H 'Content-Type: application/x-www-form-urlencoded'
  -d '
    client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
    client_secret=eUruM8HRyc7BAQ1e&
    grant_type=client_credentials&
    scope=data:read&
    # I'm thinking for some parameter like this
    bucket=CLIEN_SPECIFIC_BUCKET_ID
  '

Bryan Huang · Answer 1 · 2019-08-08T11:07:18.923

0

You should implement your own management layer of your app to manage user permissions to different buckets - per best practice user should not be exposed to app level access tokens to access the buckets themselves.

Forge cloud buckets to Forge app and not end users as it’s a development platform and operates on developer/application levels and rather than those of end users.

EDIT:

For Viewer you can go with an AOP approach and set up a proxy in your backend and delegate authentication to the proxy - you can redirect Viewer to send requests to your endpoints to retrieve resources and your backend can in turn authenticate and retrieve the resource from Forge services so that you won’t have to expose your access token to the users. Try:

Autodesk.Viewing.endpoint.setEndpointAndApi('https://yourhostname/your/proxy/service/path')

And you can add custom headers to Viewer’s requests to authenticate against your own app:

Autodesk.Viewing.endpoint.HTTP_REQUEST_HEADERS = {}

Alternatively you can download the derivatives to your own storage and load them from there - see here for details.

edited Aug 08 '19 at 11:07

answered Aug 07 '19 at 10:02

Bryan Huang

5,247
2
15
20

Stored objects are used by the Forge's viewer. The token used by the web application (where the viewer is loaded) is with "viewables:read" so it cannot access any bucket information. The issue is that with that token you can theoretically view a file/object, which is not part this so called "your bucket". I do have a management layer at the back end which hides those files which you are not supposed to see(not serving theirs URIs), but knowing the urn of the file is enough for a malicious actor to view this file (since the token is valid for every bucket for this client_id). – Theodor Pavlov Aug 07 '19 at 11:47
The second option looks fine, i will try to adopt it. I've also found this resource for extracting in C# .NET. It might be useful for others https://forge.autodesk.com/blog/forge-svf-extractor-c-net I will post an update later. – Theodor Pavlov Aug 08 '19 at 13:12
I would rather suggest creating an app for each user. Thus, each user will access the buckets using the secrets assigned to them. – denis-grigor Aug 08 '19 at 14:37

Is there a way to request bucket specific read scope?

1 Answers1