when I upload a file, I hoped that I can hold everything within my domain: the serving, the uploads and the user authentication. I also hoped that I could handle the authorization of content within my user group (school, DSGVO, protection of the young, no opt-in from parents desired)
What actually happened:
Everything so far works as I found out. Except uploads are world readable, even if the content is not.
I already tried:
use LDAP to authenticate, which works
use “no guests” which works
use “filesystem” as storgage, which works
I admit, the upload-URLs are pretty hard random, but still it is pretty easy for everyone with read-rights to post an URL into the world (whatsapp, e.g.) pointing to the uploaded file.
So in summary: You have done a great job. This is an amazing tool.
What do you think of my perspective: is it too protective? would it be hard to make the uploads no-guest readable?
The risk, given that the URL are random, as you already mentioned and people can just save the file and share it on a messenger of their choice, makes it less useful to put everything behind a wall. But of course I understand your concern here, sadly I don’t have an easy solution.
The reason why it is like that: We use the express static function to serve all files in the public directory (quite simple but effective) and there, AFAIK, we can’t apply custom authentication middleware which would make people be authenticated before getting certain paths served. Images using the filesystem upload are simply put into this directory and linked from there.
And for 3rd party hosting options, we can’t do that at all, so not much help there either. Maybe someone will come up with a very smart solution.
which would need probably a lot of effort to find, implement and might even complicate things for the other backends (s3, imgur, etc), so not very pragmatic and the reason being only overly pedantic privacy advocates.
As you say and I wanted to say myself: with little effort, people can download, copy and paste anyways.
I concur does not have to have priority… can be closed, I think.
The main problem would not be to have an auth middelware for all /upload/ routes, but that you would remove the possibility to access notes by non logged in users entirely …
sure, you would have to consider both and have an additional option
available [public readable] which would make sense to be toggled in all
cases but the “private” case.
But anyway: I don’t know if it is worth the trouble.