Private file - external API access - driving me crazy!

Hi all,

How do I secure files (through the privacy settings) while providing user actions based access to third party services?

I have spent countless hours on figuring this out (trying various AWS upload tools and Wasabi) but it simply seems not fixable…?

What do I need to accomplish
My app uses files. The access to these files should be limited to specific users (which can be managed by uploading ‘private files’ (i.e. setting privacy rules) binding the file to a specific data type and establishing privacy rules to this data type that allow users matching the relevant criteria to view the files). So far so good.

The problem however is that these files have to interact with trusted external services as well (e.g. openAI vector stores, DeepL).

Bubble does not seem to offer a solution for this, or at least I have no been able to figure it out.

Plugins
There are several plugins I have used so far that either interact wit AWS S3 or Wasabi S3. The settings like Access Control Lists (ACL) and CORS (cross origin access) combined with the API are great for shielding the files from users with unauthorized access. The Pre-signed URLs are a great way of getting these files out again [I cannot mention too often that adding this simple feature to bubble’s core functionality would already solve a lot!].

The issues that is not resolved with this, is that users with access to the application could technically access all files, as the access cannot be restricted to a specific user (no privacy rules associated with any of the plugin uploaders) creating major vulnerabilities.

Not sure what to do anymore…

There used to be a plugin published for this… How to Generate Presigned URLs - #5 by DjackLowCode

@DjackLowCode were you aware it got delisted?

So if you don’t want to use the api_key in the url and instead got the presigned url, i should be possible with a plugin (that can be used in backend WF) that will call the file url with the api_key but avoid to follow redirect and use the location header to get the presigned url.

sorry responded to quickly. I noticed the api key solution, which indeed is not sufficiently secure.

What type of plugin generates pre-signed urls on the existing private files?

I don’t know if there’s one that exist and I don’t know if the suggested one by @tylerboodman was doing this. Seem is not available on the marketplace anymore so I cannot inspect code (if this was free)

1 Like
2 Likes

Yes, it look like it was made for that

Thanks @tylerboodman! I’ll try to get this one back up!

1 Like

Hey @c.bakermans, this plugin is back up here

Agree it would be a useful thing for Bubble to implement themselves (and probably low hanging fruit).

Let me know if you have any questions!

Thanks @tylerboodman for the reminder.

2 Likes

You can also do it natively by appending an admin API token to the file URL. Whether you want to do that depends on what service you’re calling (and if you trust them)

Thanks a million!

  1. When testing this it seems that the function is sending a random .txt file into the service (openAI) and not the file I uploaded as a private file.
  2. what is the API key for that I have to add in the plugin section?

sorry i read the documentation. It works. Awesome!!

Only thing that gets lost is the filename (which seems to be inherent to the way services records filenames based on pre-signed urls)

Is it also possible to manage (1.) the time of the pre-signed url or (2.) the number of times the link can be accessed?

Hey @c.bakermans - glad that it’s working for you :slight_smile:

For your questions:

  1. No the time cannot be changed unfortunately. I think the default is 5 mins but could also be longer when it’s on the CDN. This is arbitrary given the length of the URL ( I.e it won’t be randomly scraped)

  2. unfortunately it’s just a presigned url so we can’t set access if it’s been clicked.

Good luck!

1 Like