1

I'm using Uppy.io as client side tus.io implementation in my ASP.NET MVC web application.

And tusdotnet v2.0.0 as server side in ASP.NET Core Web API.

It works fine all the way but how can we limit the file uploads only to authenticated users?

Here is the code snippet from my Razor page:

var uppy = new Uppy.Core({ debug: true, autoProceed: false });


var uppy = new Uppy.Core(
    {
        debug: true
        , autoProceed: false
        , allowMultipleUploads: true
        , restrictions: {
            maxFileSize: 157286400,
            allowedFileTypes: ['application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/zip']
        }
    }
);

uppy.use(Uppy.Dashboard, {
    trigger: '.UppyModalOpenerBtn',
    inline: true,
    target: '.DashboardContainer'
});
uppy.use(Uppy.Tus10, { endpoint: '@ViewBag.APIURL' });
uppy.run();

Code snippet from .NET Core project in Configure method of Startup.cs:

app.UseAuthentication();

        app.UseTus(context => new DefaultTusConfiguration
        {
            UrlPath = "/files",
            Store = new TusDiskStore(Path.Combine(env.ContentRootPath, @"uploads\tusio")),
            OnUploadCompleteAsync = async (fileId, store, cancellationToken) =>
            {
                //var file = await (store as ITusReadableStore)
                //    .GetFileAsync(fileId, cancellationToken);
                //return fileId;
            }
        });

Everything works fine but I don't want WebAPI to save files sent by anonymous users.

Any solution or workaround would be highly appreciated. Thanks.

GitHub issue: https://github.com/tusdotnet/tusdotnet/issues/76

Azaz ul Haq
  • 1,635
  • 2
  • 18
  • 46
  • require authorization for GetFileAsync() method? – yob Dec 23 '19 at 15:06
  • @yob No. I comment out the extra code from `OnUploadCompleteAsync` callback method. The problem is file gets uploaded no matter who sends the file to the server. I don't want anyone to send the file and let server save it. – Azaz ul Haq Dec 23 '19 at 15:12
  • 2
    this? -> https://github.com/tusdotnet/tusdotnet/wiki/OnAuthorizeAsync-event – yob Dec 23 '19 at 15:14
  • thank you @yob. You may answer the question I'll accept. Please add this event is not available in v2.0.0. I updated to v2.2.2 to make it work. – Azaz ul Haq Dec 23 '19 at 15:24

1 Answers1

0

As stated by @yob, you can secure the "/files" endpoint with the OnAuthorizeAsync event:

app.UseTus(httpContext => new DefaultTusConfiguration{
    ...
    Events = new Events 
    {
        OnAuthorizeAsync = eventContext => 
        {
            if (!eventContext.HttpContext.User.Identity.IsAuthenticated) 
            {
                eventContext.FailRequest(HttpStatusCode.Unauthorized);
                return Task.CompletedTask;
            }

            return Task.CompletedTask;
        }
    }
});
cove18
  • 1