Cross-Domain Media with authentication for Django
Project description
Cross-Domain Media with authentication for Django
The situation: You serve media files from a different domain than your main web application domain (good idea). You want to use nginx's internal redirect (X-Accel-Redirect) to authorize media file delivery.
The problem: You don't have access to the user's session on the media domain and can't authenticate or authorize media access.
The solution: You handle media URLs with an expiring token attached which temporarily authorizes access and can be refreshed via redirects when needed.
HTTP View
Here's how it works in HTTP:
- -> GET media.example.org/path/file.pdf
- <- 302 www.example.com/path/file.pdf
- -> GET www.example.com/path/file.pdf
- if not authorized <- 403
- if authorized <- 302 media.example.org/path/file.pdf?token=XYZ
- -> GET media.example.org/path/file.pdf?token=XYZ
- <- 200 file.pdf
- after expiry -> GET media.example.org/path/file.pdf?token=XYZ
- See step 2
Use in Django
# Development
MEDIA_URL = '/media/'
# Production
MEDIA_URL = 'https://media.example.org/media/
INTERNAL_MEDIA_PREFIX = '/protected/'
from crossdomainmedia import (
CrossDomainMediaAuth, CrossDomainMediaMixin
)
class CustomCrossDomainMediaAuth(CrossDomainMediaAuth):
'''
Create your own custom CrossDomainMediaAuth class
and implement at least these methods
'''
SITE_URL = 'https://www.example.com'
def is_media_public(self):
'''
Determine if the media described by self.context
needs authentication/authorization at all
'''
return self.context['object'].is_public
def get_auth_url(self):
'''
Give URL path to authenticating view
for the media described in context
'''
obj = self.context['object']
raise reverse('view-name', kwargs={'pk': obj.pk})
def get_media_file_path(self):
'''
Return the file path relative to MEDIA_ROOT
'''
obj = self.context['object']
return obj.file.name
class CustomDetailView(CrossDomainMediaMixin, DetailView):
'''
Add the CrossDomainMediaMixin
and set your custom media_auth_class
'''
media_auth_class = CustomCrossDomainMediaAuth
Some other useful methods
# Get your media URLs with token outside of view
mauth = CustomCrossDomainMediaAuth({'object': obj})
mauth.get_full_media_url(authorized=True)
# Send file via nginx internal redirect response
mauth.send_internal_file()
Nginx config
This is how an Nginx config could look like.
server {
# Web server with session on domain
listen 443 ssl http2;
server_name www.example.com;
# ...
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
# etc...
proxy_pass wsgi_server;
}
}
server {
# Media server with no session on domain
listen 443 ssl http2;
server_name media.example.org;
# ...
location /media/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
# etc...
proxy_pass wsgi_server;
}
location /protected {
internal;
alias /var/www/media-root;
}
}
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for django-crossdomainmedia-0.0.3.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 25adebf407b0406d17024bbdf8f59c022de2ba7d9a1b4689a63b4b173b410d4b |
|
| MD5 | df687a52d2cde313a7eb64a0b7641915 |
|
| BLAKE2b-256 | 95180e758e8021fd11b7337c3fd7e3133a9b0e86eb4366eb922e0d69f4d804d7 |
Close
Hashes for django_crossdomainmedia-0.0.3-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 798bcfe52c853121d060ff9fb1c69fa29e391c4edfe62fc2de275baa61ac53d0 |
|
| MD5 | 49361759f46c334197f876a026f3feba |
|
| BLAKE2b-256 | 6f926a69839f74ea41ff6f2b0e27178bd124c75a59e7275c9b9ac310aa4a69e2 |
