Secure Assets with Client Authentication


#1

Hi Sebastian,

is it possible to secure Assets the same way as the rest of the API? Currently it is possible to download Assets if you know the URI. I did not find anything about that, although the assets.read permission exists.

best regards,

Pascal


#2

So far it is not possible. But how likely is it that somebody finds out the Guid? It is like a password for every asset.


#3

You are right, the Issue is not guessing the URI, but somebody “loosing” it. If you secure the API even a known URL is no Issue because you still need to authenticate.

My first Idea was to add an additional endpoint to the AssetContentController that needs Asset.Read permission and to have a flag for each asset marking it “secure” or “not secure”. Secure assets can only be fetched from the secure endpoint and the unsecure endpoint should no longer deliver them.
This would make the secure asset optional and downwards compatible.


#4

Sounds like a good idea :slight_smile:

You could add the checkbox to the annotate dialog then.


#5

Exaclty. The Dialog, where you add tags or generate the slug. That would be very convinient. Should I open a Feature Request?