Question

How can I secure delivery of cached private user content on a Spaces CDN?

Posted May 4, 2020 1.6k views
Node.jsSecurityAPICDNDigitalOcean Spaces

I’ve found this feature from Azure:

https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth

How could I do something similar with DigitalOcean Spaces?

I’ve built out a slideshow SPA that I would like to integrate a scalable storage solution with. The slideshows contain images that must be served quickly, and cannot be served to other users.

I’ve seen this kind of system implemented by large companies like Google, but I haven’t found much info on this kind of system online.

I currently require a bearer token in my API, check the token, and the server the image from the server’s file system. I’d like to get the quick delivery of a CDN, but I also need good security for my users.

1 comment
  • I’m also interested in a setup like this. I’m developing an application which will serve a lot of static data to registered users, but want to limit access to this static data when users aren’t logged in. The scalability of a CDN is of interest to me, but the only way I can see to limit access to a resource is by checking the “private” permission and providing an API key and secret for generating a signature. To keep this secure I would need a separate API key an secret for every registered user.

    I’m planning to use cryptographically-signed user tokens (JWT or otherwise) to authenticate with API endpoints. I could use these tokens to authorize requests, but there’s no obvious way to integrate this with Spaces short of having my API server send a request to spaces. I don’t really see a reason to add this level of cross-talk or latency when I could just store the static files directly on my API server. But by serving from the API server instead of from spaces I’m paying block storage pricing instead of object storage pricing (5x more per gigabyte) and I miss out on the CDN.

    Ideally I’m interested in an edge compute service through DigitalOcean

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

I asked this question a while ago and I think this won’t be offered without a price tier change. One way you could do it. Is setup api instances in all major locations. When a request comes in, check location of where its coming from and redirect it to one of your api instances thats closest. Then handle authenticating it and serving the file.

I know its not the best idea. But if you want to use Spaces its an option.