3

I'm using express js and passport js as authentication system also using view engine. I'm looking for a solution that would give access to user and let users see their file, not the other one's file. for example, in the image folder, the user would access to their files and after that, I want to pass these files to view engine. If I use the public folder, anyone is able to see every file in there. what solution do you recommend?

Amirrezagh75
  • 61
  • 7

3 Answers3

4

You should create a directory for each users.

then, for example, your URL is /show/files

the inside your logic, filter the directory by user info.

app.get('/show/files', (req,res)=>{
 // filter resources by user info
})

don't forget to create a secure URL for your resources.

Bad Idea: /images/amin/profile.png

Good Idea: create a route to serve your resources.

app.get('/resources', (req,res)=>{
// add query parameter for resource for example profile.png
// then check user directory and send it
})

your url converts into

/resousrce?file=profile.png

Amirrezagh75
  • 61
  • 7
Amin Taghikhani
  • 684
  • 1
  • 8
  • 22
0

I assume you already have a login system in place, so all you have to do, is create a middleware that checks if the user is logged in, and checks if the image is his image.

app.use("/user/:user/**",function(req,res){
  if (req.params.user == thisuser){
     //serve the file
  } else {
    res.status(403); //access denied
    res.end();
  }
  //check based on cookies whether the user has the permission to view this image
});
kess
  • 1,204
  • 8
  • 19
0

I would suggest you to use Passport.Js local authentication. You can look into the official docs - http://www.passportjs.org/docs/authenticate/ I personally have used this in the same scenario you're in.

Here is a litte code snippet of the custom middleware function I wrote using passport - 

module.exports = {
    ensureAuthenticated : function(req, res, next){
        if(req.isAuthenticated()){
            return next();
        }

        req.flash('error_msg', 'Please login to view this resource.')
        res.redirect('/users/login');
    }
}

Feel free to check the entire solution on my github repo - https://github.com/StechAnurag/loginsys

Serg
  • 2,346
  • 3
  • 29
  • 38
Anurag Shrivastava
  • 1