Protect Ressources with security authentication

cubecoffee · March 16, 2017, 8:27am

Hello community,
in our Flow 3.3.7 application we use this security surrounding:

   security:
      authentication:
        authenticationStrategy: oneToken
        providers:
          DefaultProvider:
            provider: PersistedUsernamePasswordProvider

Is there a simple way to protect resources (\TYPO3\Flow\Resource\Resource) so that nobody can access this files without being authenticated?

sorenmalling · April 17, 2017, 10:00am

I know of this package created by @bwaidelich

I can’t give you any support, since I haven’t used it myself. But it might fit your needs

cubecoffee · April 27, 2017, 10:28am

The solution is realy simple: We added an .htaccess redirect for all /_Resource/Persistents/ urls to a controller call which than can look up if your are locked in and delivers the file with php headers if so.

Thanks for your participation anyway

sorenmalling · April 28, 2017, 8:55am

@cubecoffee Uh, that sounds interesting. Care to share?

cubecoffee · May 11, 2017, 6:36am

.htaccess in Web folder:

#Get Persistent Files from File Controller
RewriteRule ^_Resources/Persistent/(.+)$ /<package.vendor>/file/getpersistentfile?file=$1 [R=301,L]

and the FileController action in my package:

public function getpersistentfileAction(){
	if($this->authenticationManager->isAuthenticated()) {
		if( $this->request->hasArgument('file') ){
			
			// get internal file hash				
			$fileidentfier = htmlspecialchars(stripslashes(trim($this->request->getArgument('file'))));
			$filehash = preg_replace("/^([^\/]*)\/.+$/","$1",$fileidentfier);
		
			// get file type, e.g. like `image\jpeg` and file name
			$ressource = $this->resourceManager->getResourceBySha1($filehash);
			$fileObj = $this->fileRepository->findByOriginalresource($ressource)->getFirst();
			$filetype = $fileObj->getFiletype();
			$filename = $fileObj->getName();
			
			// get real file path
			$originalFileSource = FLOW_PATH_DATA . 'Persistent/Resources/';
			for($i=0;$i<4;$i++){
				$originalFileSource .= $filehash[$i] . '/';
			}
			$originalFileSource .= $filehash;
			
			// the real file
			$file = file_get_contents($originalFileSource, "r");
			
			// return with new headers
			header('HTTP/1.0 200 OK');
			header('Content-Type: ' . $filetype);
			header('Content-Length:' . strlen($file));
			header('Content-Disposition: inline; filename="'.$filename.'"');
			header('Cache-Control: public, max-age=63070512');
			header('Expires: '.date("D, d M Y H:i:s", time() + 86400 * 365 * 2).' GMT');
			header('Date: '.date("D, d M Y H:i:s").' GMT');

			echo $file;
		
		} else {
			header('HTTP/1.0 404 OK');
			return false;
		}
		
	}
}

sorenmalling · May 11, 2017, 7:14am

That’s cool! I even think that you could move the isAuthenticated() === true into a provider with requestPatterns in Settings.yaml.

But great example, cool that you found a working solution! I’ve sometime had the same need about protecting resources