I just tried setting up stage_file_proxy with private files on a remote while being logged in on the remote. I could not get it to work, has anyone already done this?

I tried hotlinking and downloading.

any suggestions or links to documentation are really appreciated.

Comments

yobottehg created an issue. See original summary.

hamrant’s picture

I have the same issue. Subscribed.

_Archy_’s picture

_Archy_’s picture

Assigned: Unassigned » _Archy_
Status: Active » Needs review

In the end the logic was cut from the other issue for separation of concerns. The private stream wrapper was implemented but it will not function without authentication.

The authentication method proposed in the other issue was to create a basic auth like authentication protocol with the difference that it will pass in the header the ID of the user and the hashed (double hashed in fact) password of the user, in this way identify and authenticate the user. This method might have to change or extend with a more data lacking method of authentication regarding issues with GPDR (as discussed in the other issue). The method implemented was using AES encryption.

Since this requires code running on the origin website (authentication protocol) which is not necessarily bound to stage file proxy, I think that we should implement it in a different module. It is a good idea also because other modules could use a protocol like this. Then SFP would use the protocol when sending requests to origin. The origin website would only have to install the auth protocol module, thus removing any overhead added by stage file proxy.

It would also be nice to have a switch to enable / disable the private functionality + A verify button to see whether origin supports the protocol (hidden route for determining).

I am setting this to needs review to see what the maintainers think about this idea.

geek-merlin’s picture

Status: Needs review » Active

Hmm, thought a bit about this and, first thing is, huh, this can open huge attack vectors, so we must do it thoroughly. Also yes, it mus go into its own sub-module, so sites that don't need it are not affected by security issues.
The simplest way i can imagine is:
* Let sfp_privatefiles_server add (rest or whatever) service route and permission like "Let SFP access private files"
* Let sfp_privatefiles_client query that service, with enforces TLS
* For auth we can use core's basic_auth, or API Key Auth which may be pluggable anyway if governed by a permission, but we surely shouldn't "roll our own" ;-)

geek-merlin’s picture

Concering GDPR:
* As personal data does not only sit in the DB, but also in private files, we'd need a veto hook for GDPR module that transparently swaps out a file for a placeholder.

Concerning staging workflows:
* If the server part can expose an endpoint for "current (GDPR-cleaned if needed) DB dump", we can have GDPR-compliant staging workflows where DEV only has the secret to access gdpr-cleaned content, NOT (as often) full SSH access needed for DB-Sync.

greggles’s picture

IMO it would be fine to "won't fix" this issue due to all the complexity it introduces. I don't think it's worth that complexity to support private files. Those can be solved/served/synced in other ways.

_Archy_’s picture

I believ that it is a good feature. There is alrady an implementation for it in the parent issue. You can find the issue in the first comment. That implementation is ok but has problmes with gdpr. The existing implementation works well for testing stage and development environemnts. For production tho there should be a switch to just use devel generate for those files but that needs to be implemented and I dont have time.

smustgrave’s picture

Status: Active » Closed (duplicate)

Closing as duplicate. Can discuss more there about if we should do private files or not.