Allowing users to upload videos
We have an application that will allow users to upload replay videos for other users to view. These are short videos recorded of the gameplay in the app.
Cloudinary looks like a great solution for this, but the problem is that at some point the client secret needs to be used to make an upload from the user app.
I don't see a way we can make this 100% secure (i.e., prevent discovery of the client secret).
Is this just a fundamental problem that is only solvable by having a proxy server make the upload to Cloudinary using the client secret?
EDIT: Reading the documentation further, it looks like unsigned uploads would allow the app to upload without the client secret.
Can we configure rate limiting on a per-connection basis to make sure this doesn't get abused?
Also, if the app wants to get a list of all the video URLs matching some timeframe or tag, can it do so without providing the client secret to the API?
-
Hi Alan,
Unsigned uploads are one way of uploading your assets to Cloudinary without having to use the API secret and hence not exposing it. You should never use your API secret on the client-side such as frontend apps or mobile. However, the downside with this is that if someone finds out your cloud name and upload preset, they can use it to make unauthorised uploads outside your apps.
There is no rate-limiting feature available for uploads but there are a couple of things you can do, all of which require you to set up a backend server. They are:
- Adding a "Notification URL" and enabling "Async" from your upload preset's settings so your server will get notified when an upload with that preset is used. We will send a "pending" message to the uploader but still upload the asset in the background so the uploader will not get the standard upload response. You can then check the notification payload on your backend server and determine whether to keep that uploaded asset or delete it.
- Implement signed uploads from the client-side so you will not need to send the file to your server instead you'd just ask your backend to generate a signature per upload, return it to the frontend and then send the file and signature to us. This will be an entirely authenticated request so how you manage the authentication from the frontend to the backup server when requesting the signature string will be under your requirements.
- Send a file from the frontend to the backend and upload it from there using one of our many SDKs or directly.
Click here to find out more about how to create a signature server-side. Click here to find out more about the backend SDKs we provide.
Thank you
0 -
Thanks -- creating the signature server side sounds like a good approach.
The documentation explains how to generate the signature on the back end, but it's unclear to me if the front-end would be forced to use REST calls to use the signature. Does the .NET SDK support injecting the signature when using the Upload and Search methods in the SDK?
0 -
Hi Alan,
Yes, so if you are using the backend simply for the creation of the signature then your frontend will need to call our REST APIs with the signature and other relevant data.
You can also use the SDK to directly make the upload but you'd need to send the file from the frontend to the backend. Our backend SDK libraries provide a wrapper for the Upload API so request building and authentication are handled automatically, and the JSON response is parsed and returned.
For the search API, you can use the SDK as well and like upload, the authentication is handled automatically. We recommend using the SDK or even curl in your backend.
Alternatively, you can use the Client-side asset lists from the frontend to list assets with a specified tag however this only supports the listing of up to 1000 assets per resource.
Finally, you can store the results of the upload response in your own database as it will provide you with the creation time, version etc. and search against that as required.
Thanks.
0
Post is closed for comments.
Comments
3 comments