0

I have an angularJS application whose authentication system is made with an access_token and communicating with a backend server written in Go

Therefore to authenticate the user, I have to add the access_token to each request ?access_token=SomeTokenHere or via a header Access-Token: SomeTokenHere

It works great.

The issue is that my backend serves protected images, and I cannot put the access token in the image src for some security reasons(If the user copy/paste the link to someone else, the access_token would be given too ...)

What I'd like to do is to inject a header containing my access token, but since the request is made from the browser it doesn't possible.

This could probably be possible with a cookie, but I'd to avoid using a cookie especially because the angularApp and the backend are not on the same sub-domain.

Another idea would be to create a directive that would get the raw data, and set the data to the image. First I don't know if this is possible and is it a good idea for hundreds of images in the webpage ?

If you have any idea, I'd be glad to hear from you !

Thanks

Improve this question

1 Answer 1

Reset to default
1

It is typical problem, and fortunately it was already solved - for example on Amazon S3.

Solution idea is simple: instead of directly using secret key - you can generate signature with access policy, using that key.

There is good algorithm designed especially to generate signatures for this purpose - HMAC

You can have one secret key on your server and use it to sign every image URL before it would be sent to client, also you can add some additional policies like url expiration time...

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Indeed HMAC signature could solve that, but I wanted to make sure the image couldn't be get even if the user copy/paste the link to someone else. The second issue is that generating hundreds of signatures at the same time is not free, and would slow down the request processing.
About link copy/paste - one of possible, maybe partial, solution is to check referrer request header, and deny all requests that came from other domains(this is typical way to prevent images hotlinking). About signature generation time - it is not free, but hashing itself is quite fast(near thousand of hashes per few ms), so likely it would not be much noticeable in comparison to other computations during request. (if you want to test openssl hashing implementation performance on your own hardware - you can use openssl speed sha1 command).
Interesting. I'll do some tests about that. In the meantime, I'll let the question opened but I'll accept it later if no one else contributes :-)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.