Best way to add authentication to file retrieval?

[davidrichard23]

I'm creating an app that requires HIPAA compliance. My issue is that while the Parse Objects containing references to the images are secured by their ACLs, the images can be accessed by anyone if the filename is known/guessed(very unlikely but possible).

I understand that for most applications this is secure enough, but for HIPAA compliance, I think those images need to be only accessible by authenticated users with the permissions required to access the referencing object.

Now I don't have much knowledge of the code base, but I'm planning on creating a PR for this. Here's what I've come up with:

1. Add a new boolean config option called authenticatedFileRetrieval or something
2. In FilesRouter.js change router.get('/files/:appId/:filename', this.getHandler); to router.get('/files/:appId/:filename/:referencingClass?/:sessionToken?', this.getHandler); or use query parameters for the optional params. I'm not sure which would be more appropriate.
3. in getHandler() if authenticatedFileRetrieval == true query the referencingClass using the sessionToken
4. If the query returns the ACL secured object, continue as normal. If not, throw an error.

Maybe there's a better way to accomplish this? Or maybe someone can convince me that this isn't needed? Any input would be appreciated!

[dplewis]

+1 I also need this for HIPAA Compliance.

[zeekhuge]

+1 Would be a really useful feature.
@davidrichard23 I see your pull request and I found a short description about the tests - https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#run-your-tests-against-postgres-optional

Also, it looks like the tests should be added to parse-server/spec/
Maybe @dplewis can help on this ? He's been contributing to the project.

[somq]

@dplewis Did this come up somewhere ?
Is there finally any commonly accepted solution or workaround to be able to add auth to file adapters?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.