Cross-Domain Media with authentication for Django
Project description
Cross-Domain Media with authentication for Django
The situation: You serve media files from a different domain than your main web application domain (good idea). You want to use nginx's internal redirect (X-Accel-Redirect
) to authorize media file delivery.
The problem: You don't have access to the user's session on the media domain and can't authenticate or authorize media access.
The solution: You handle media URLs with an expiring token attached which temporarily authorizes access and can be refreshed via redirects when needed.
HTTP View
Here's how it works in HTTP:
- -> GET media.example.org/path/file.pdf
- <- 302 www.example.com/path/file.pdf
- -> GET www.example.com/path/file.pdf
- if not authorized <- 403
- if authorized <- 302 media.example.org/path/file.pdf?token=XYZ
- -> GET media.example.org/path/file.pdf?token=XYZ
- <- 200 file.pdf
- after expiry -> GET media.example.org/path/file.pdf?token=XYZ
- See step 2
Use in Django
# Development
MEDIA_URL = '/media/'
# Production
MEDIA_URL = 'https://media.example.org/media/
INTERNAL_MEDIA_PREFIX = '/protected/'
from crossdomainmedia import (
CrossDomainMediaAuth, CrossDomainMediaMixin
)
class CustomCrossDomainMediaAuth(CrossDomainMediaAuth):
'''
Create your own custom CrossDomainMediaAuth class
and implement at least these methods
'''
SITE_URL = 'https://www.example.com'
def is_media_public(self):
'''
Determine if the media described by self.context
needs authentication/authorization at all
'''
return self.context['object'].is_public
def get_auth_url(self):
'''
Give URL path to authenticating view
for the media described in context
'''
obj = self.context['object']
raise reverse('view-name', kwargs={'pk': obj.pk})
def get_media_file_path(self):
'''
Return the file path relative to MEDIA_ROOT
'''
obj = self.context['object']
return obj.file.name
class CustomDetailView(CrossDomainMediaMixin, DetailView):
'''
Add the CrossDomainMediaMixin
and set your custom media_auth_class
'''
media_auth_class = CustomCrossDomainMediaAuth
Some other useful methods
# Get your media URLs with token outside of view
mauth = CustomCrossDomainMediaAuth({'object': obj})
mauth.get_full_media_url(authorized=True)
# Send file via nginx internal redirect response
mauth.send_internal_file()
Nginx config
This is how an Nginx config could look like.
server {
# Web server with session on domain
listen 443 ssl http2;
server_name www.example.com;
# ...
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
# etc...
proxy_pass wsgi_server;
}
}
server {
# Media server with no session on domain
listen 443 ssl http2;
server_name media.example.org;
# ...
location /media/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
# etc...
proxy_pass wsgi_server;
}
location /protected {
internal;
alias /var/www/media-root;
}
}
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for django-crossdomainmedia-0.0.4.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 71265b33804d631da3ce7e5e8c960c50b6dcca5859bce6f3b777269ee751d605 |
|
MD5 | 2865a65c1fdf40ef5d2ce61b00a4f71e |
|
BLAKE2b-256 | cbd6ad536efc64d6f0b9e844bebe0f7c2c4ef20427033610b9a2e2611e341441 |
Close
Hashes for django_crossdomainmedia-0.0.4-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e8c487511353d92a04fc050e887bf9dff1638432339c2eb6b0bef32b3e53593f |
|
MD5 | 6849045a5dee6f478f7fa0fad22624ca |
|
BLAKE2b-256 | c4ba23f98509211657c1f7924458830d5bc4f28723f846df58c937ee6c5b2976 |