fixmealink icon indicating copy to clipboard operation
fixmealink copied to clipboard
verified publisher icon clearbold

*Enhancement* CP settings and adding Twig optional parameter

Open EternalBlack opened this issue 7 years ago • 2 comments

It would be awesome if it was possible via the CP to change the default duration/settings. Like a numberfield where 0 = infinite, n<0 = one time download, n>0 = n for the expiration of the link.

Also nice would be to add optional parameters for twig something like asset|obfuscateAssetUrl('expire', 5).

EternalBlack avatar Aug 08 '18 16:08 EternalBlack

Hey, @EternalBlack!

I was thinking about implementing this and wanted to understand your use cases for the features a bit better, while clarifying how this works.

Let's say I load a page containing a link to an asset named test.pdf. You have a template tag obfuscating that file's URL, so I see a link with a hashed value, which downloads that file without me seeing its true URL.

Let's say 10 seconds after you load that page, someone else loads it, too. They don't see the hash that was generated when you loaded it. Their link to test.pdf contains an entirely new hashed URL to the same file, which they can click.

The other thing that happened when they loaded the page is that the template tag that obfuscated their link ran a database query to check for hashed URLs older than 15 minutes and purge those so they can't be accessed again. So the invalidation of an expired URL happens any time a page on the site (containing an obfuscated link) is loaded.

A few things I'm thinking through:

  1. Infinite would only mask a URL you don't want to reveal, not prevent it getting into the wild, which I think may be a valid option, though the goal here was to prevent people pasting a link to paywalled files elsewhere on the internet so others could download them. An infinite link would defeat that. And because we're primarily talking about files—PDFs on S3—they needed to be streamed through a paywalled URL, which the user would log in to access anyway.
  2. One time download—Only you have the hashed URL with the expiration date, so unless you share it with others within the 15 minutes, I would assume, in effect, it's just you downloading it once.
  3. Optional expiration period parameters—Things get a little sketchy on this one. Let's say you set the expiration to 1 minute. And let's say you spend 2 minutes reading a bunch of content on the page with the obfuscated link before you click the link. If anyone hit any page with any obfuscated links on it between the 1-2 minutes after you loaded the page you're viewing, they would have purged the hashed link you're clicking on, and you'd get a 404. There's a minimum viable interval that ensures the likelihood that a link generated when you load a page would still be clickable when you get around to clicking it.

With all that in mind, do you have some use cases you could share that these options would address?

Thanks!

heymarkreeves avatar Aug 12 '18 15:08 heymarkreeves

Thank you for the reply!

I'm currently coming from this plugin boscho87/serve-secret and primarily use it for "one-time-downloads" as well as not shareable download-URLs. I assume this is pretty much the same (or at least very similar) as to what your plugin currently offers from a user perspective. Even though I really like the approach of "serve-secret" to achieve this based on the session.

As for myself, I am looking for something with those capabilities (preferable the session variant), but also with the capability to alter the duration a link is available by either entering an expiration date or duration it should be available for after the template is displayed. It would be nice to alter the default settings via the CP (which would alter all templates using the Twig tag without any parameter behind the tag), but also have them altered via the templates (twig) on a per tag/file basis. A nice addition could be having an extra CP section where you can see statistics like how often a file was downloaded (if, for example it is available for 30 days) or show current sessions with the time remaining etc..

Another nice feature would be to password protect files. This could be done in a similar way Megadoes it. There is a base URL sheme that indicates that there is a file to be downloaded that has a password. This could be noticed via javascript and act accordingly. The actual file download URL is obfuscated and the actual base URL + the (md5)hash of the password given. Meaning if you got a file which normal URL would be www.abc.de/myDL.txt, the full URL after obfuscating would be something like www.abc.de/SAdfeFsdfhFGSDH#kjlh345kl where the # indicates, that www.abc.de/SAdfeFsdfhFGSDH is the file placeholder and kjlh345kl is the hash of the password. It's quite hard to explain, just have a look at how Mega does it.

EternalBlack avatar Aug 14 '18 17:08 EternalBlack