0

I use Flask in backend and React in frontend. Users are not required to log in. In the frontend after processing the user's request I present text with links to several pdf documents. Currently, the documents reside in a public folder on the backend server, and the user access them simply by clicking the link and a new tab opens in the browser showing the pdf. But, I want to semi-lockdown the folder, so that the documents are only accessible by the user using the app, and that the user can only see the documents relevant for her request.

I have read a lot of similar questions but none of the solutions have worked for me so far.

I have tried to have the various links call a route in the backend and the backend can then send the file to the frontend. I used send_file and send_from_directory for that, but always get a file with 'null' in it.

My code in the backend for this function is:

def function_to_get_file(): try: return send_from_directory(, , as_attachment=True)

 except Exception as e:
      return str(e)

I have tried various combinations of as_attachement and mimetype.

I am testing with Postman and with a direct request in a browser to localhost:5000/function_to_get_file. Both simply return 'null'. I have verified the and at runtime.

Any help is highly appreciated. And if you think I should follow a different design altogether, then please advise.

Philp
  • 1
  • 1
  • 2
    so, i think the approach you are using kinda misses the mark. Once you start thinking "Hey, I'll test it with postman" you know it's a solution that isn't going to actually prevent other users from accessing the file directly without interacting with the app. I would probably use a session-based approach where your app generates a token for the user that is then required for a request to the protected download folder to be allowed, thus causing the user to, at minimum, visit (or send a request to) an initial page to obtain a token. – Kevin B Apr 26 '23 at 20:46
  • Thanks Kevin. I want to avoid the situation where a user - whether logged in (token) or not (I could give them a token, as you propose) - can download all documents in the download folder. I want to allow downloading the documents that are relevant to their particular 'case' in the app. I guess I could keep a table of which docs the individual user is allowed to see, and then the user can see the doc by clicking that docs link in the frontend. Sounds right? Next question would then be how to allow access subject to token being approved. – Philp Apr 27 '23 at 10:10

0 Answers0