How to obtain the temporary time-limited file URL for a protected file

How can I obtain the time-limited URL - ie. the existing system used by bubble to provide temporary open access to secure files?

In bubble, ‘Make this file private’ files have an associated URL on the database which correctly does not allow unauthorised access, e.g.

https://marketing.yamahamusiconline.com/version-test/fileupload/f1597017264302x426401770374256200/yml.jpeg
->
{“error_class”:“Unauthorized”,“args”:{“code”:“1597056127337x589315790263187300”},“message”:null,“translation”:“Permission denied”}

However, when the signed-in user has the right permissions to access the file, bubble will redirect requests from this URL as above to a different one, with a time-limited key, e.g.

https://s3.amazonaws.com/appforest_uf/f1597017264302x426401770374256200/yml.jpeg?AWSAccessKeyId=AKIAIUMZEBL2PSHM4AZQ&Expires=1597056756&Signature=dVuXAGAm28QtOVZ0SQmGdElj7Uo%3D

This URL is open, but using the AWS access control system, will expire 5 minutes after it was generated.

For use by 3rd party services (e.g. creating an image from a file or obtaining meta data) I’d like to pass the time-limited-but-open URL to them; is there a way to generate this URL on-the-fly, just like bubble does?

Or am I trying to solve this problem the wrong way?

When you are using a file uploader or a picture uploader, there is an option you can check called, “Make this file Private.” When you check that, you can insert dynamic data to reference the user you want this file to be associated with. Those that try to access the link not as the user will get the “Access Denied” message.

As for a temporary timed file, you can schedule a workflow for X amount of time after the current date/time to have the file delete.

My suggestion for you would just to go with making the file private for a certain user, or if you really want a timed file, then schedule a workflow.

Note: In order to use Scheduled Workflows you need to be on a paid plan.

Hi Johnny,

Thank you for taking the time to reply - bubble is such a fantastic system, and one of the major attractions is the support of the community around it.

However, your reply - while well intentioned - is not relevant to the scenario as I have outlined it. Note that I am describing the existing mechanism that bubble uses to provide the ‘Make this file Private’ process - this is not something I’ve built, it’s what the system does already. The temporary timed URL is something bubble is already generating in order to provide this protection; so my query is how to access this URL, not to create such a system.

I will see if I can adjust my original question so this is clearer, as I very much appreciate you taking the time to consider how to assist me.

Many thanks,
James

I don’t believe there is a native feature for a temporary timed URL in Bubble. My suggestion as I stated above for you would be to schedule a workflow to delete the file after X amount of time.

Hope this helps!

Hi Johnny, when signed-in and authorised, bubble redirects the original URL of ‘Make private’ files to a url on AWS S3 which uses an Expiry query parameter and a signature query parameter to effectively limit access to the file on S3 for 5 minutes after the original request. This is a standard (but a little hidden) bubble mechanic.

1 Like

Sounds like you want to use the file for use in a plugin or for SEO purposes.

What exactly would be used as a 3rd party service that a user of your application who has decided to upload a ‘private file’ would want those 3rd party services to access them? Unless the only time a 3rd party service is when the user who uploaded the private file is using the 3rd party service.

If the person who uploaded the file that is supposed to be private is the only user allowed to utilize the 3rd party service in conjunction with the private file, couldn’t you look into the privacy rules? I would assume not uploading the file as private and instead create a privacy rule around the type of file. That should be a way to make the file private in as much as other users can not access it, but with the right privacy rules would allow access by the 3rd party service when the file ‘owner’ is on your app initiating the use of the file in a 3rd party service.

Hi Boston85719,

Thank you for your thoughts!

The essence is that the users are creating a private digital asset management system, so it’s important that the files aren’t available to the public. However, as you know, there are services that allow the assessment of files (e.g. pixel width, height, gps co-ords, face detection etc.) that would prove very useful as filters when selecting files back out of the DAM.

So, the primary files are generally to be secure, but for brief periods it would be appropriate to allow them to be accessed outside.

Perhaps it might be more appropriate to use the URL of the file to generate a call to the app itself and use an API to serve the image directly after having checked that the appropriate rules have been met (e.g. user is logged in)? But in this case the underlying file is unprotected (although guessing it’s url is unlikely for an external person), but also every image served would need to come through the app, and not through a content delivery network. The bubble solution here is very elegant - security, and CDN compatible. Just how to generate that secure URL…!

3 Likes

This topic was automatically closed after 70 days. New replies are no longer allowed.