Authenticated or private images still accessible to anyone with access to the URL
I'm building a web app where users create an account and can upload images to their user profile (like a dating app). I want these images to be accessible only via my web app and not, say, looking at the source code, copying the url, and sending it via text message to anyone.
I've been trying hard to make it so that images uploaded are either "private" or "authenticated" but i still get in response a url that is accessible to anyone I send the url to.
Here is my node.js code for uploading the image (uploading works fine, i have set up the cloudinary functionality with my api key and secret):
variable uploadType I have changed to either 'authenticated' or 'private' - both have the same result: url still public
let uploadType = 'authenticated';
cloudinary.v2.uploader.upload(
req.file.path,
{
upload_preset: CLOUDINARY_UPLOAD_PRESET,
type: uploadType,
sign_url: true,
access_mode: 'authenticated'
},
function(error, result) {
console.log('ok returned from cloudinary');
console.log(result)
}
);
Here is sample out put - the secure_url or url is public to anyone.
{ public_id: 'nsaua2raza71pgpmr0ko',
version: 1509890742,
signature: '29db0d1e86f74dc74c56462ba63aa293a78f13b4',
width: 350,
height: 469,
format: 'jpg',
resource_type: 'image',
created_at: '2017-11-05T14:05:43Z',
bytes: 32207,
type: 'authenticated',
etag: '46385dd95b806ce32f7436e49cc3701a',
placeholder: false,
url: 'http://res.cloudinary.com/ddktptjqx/image/authenticated/s--VQXHefIF--/v1509890742/nsaua2raza71pgpmr0ko.jpg',
secure_url: 'https://res.cloudinary.com/ddktptjqx/image/authenticated/s--VQXHefIF--/v1509890742/nsaua2raza71pgpmr0ko.jpg',
access_mode: 'authenticated',
original_filename: '0de64952eed8c4019f00e0d0629b9137' }
I CLEARLY do not know what I'm doing - I have read the blog posts and I think i'm doing what they say but nothing works - I think I may be misrepresenting what 'private' or 'authenticated' means
-
Hi Terrence,
Please note that both types, Authenticated and Private, are meant to restrict users from generating resources. Meaning, if you use either of the above types, the end-user would need to know your API Secret (which should be kept confidential) in order to generate (and view) the resource. However, once the resource is created, any user who has the URL can view it.
As a side note, when using private images, once the derived resource is created, there's no need to know the signature in order to access it, while when using authenticated images, without the signature, they cannot be accessed. If you'd like, we can tweak your account to omit URLs from upload response JSON.
More specific restrictions can be performed using a cookie-based authentication. Please read the below documentation for more information:
https://cloudinary.com/documentation/image_transformations#authenticated_images -
Thank you for the reply - ok maybe you can lead me in the right direction - seeing that once the image asset is created (uploaded) I have a URL that only I would know and no one could guess. So now that I have the image uploaded what is the cloudinary recommended way to get this image asset and show it as a <img> on my website BUT not showing the src="url to image here" this is where I'm confused as to how cloudinary works. I dont want someone to "view source" of web page and be able to get the url of the asset and send anywhere.....
Post is closed for comments.
Comments
3 comments