Skip to main content

Cross-Domain Media with authentication for Django

Project description

Cross-Domain Media with authentication for Django

The situation: You serve media files from a different domain than your main web application domain (good idea). You want to use nginx's internal redirect (X-Accel-Redirect) to authorize media file delivery.

The problem: You don't have access to the user's session on the media domain and can't authenticate or authorize media access.

The solution: You handle media URLs with an expiring token attached which temporarily authorizes access and can be refreshed via redirects when needed.

HTTP View

Here's how it works in HTTP:

  1. -> GET media.example.org/path/file.pdf
  2. <- 302 www.example.com/path/file.pdf
  3. -> GET www.example.com/path/file.pdf
    • if not authorized <- 403
    • if authorized <- 302 media.example.org/path/file.pdf?token=XYZ
  4. -> GET media.example.org/path/file.pdf?token=XYZ
  5. <- 200 file.pdf
  6. after expiry -> GET media.example.org/path/file.pdf?token=XYZ
  7. See step 2

Use in Django

# Development
MEDIA_URL = '/media/'

# Production

MEDIA_URL = 'https://media.example.org/media/
INTERNAL_MEDIA_PREFIX = '/protected/'
from crossdomainmedia import (
    CrossDomainMediaAuth, CrossDomainMediaMixin
)


class CustomCrossDomainMediaAuth(CrossDomainMediaAuth):
    '''
    Create your own custom CrossDomainMediaAuth class
    and implement at least these methods
    '''
    SITE_URL = 'https://www.example.com'

    def is_media_public(self):
        '''
        Determine if the media described by self.context
        needs authentication/authorization at all
        '''
        return self.context['object'].is_public

    def get_auth_url(self):
        '''
        Give URL path to authenticating view
        for the media described in context
        '''
        obj = self.context['object']
        raise reverse('view-name', kwargs={'pk': obj.pk})

    def get_media_file_path(self):
        '''
        Return the file path relative to MEDIA_ROOT
        '''
        obj = self.context['object']
        return obj.file.name


class CustomDetailView(CrossDomainMediaMixin, DetailView):
    '''
    Add the CrossDomainMediaMixin
    and set your custom media_auth_class
    '''
    media_auth_class = CustomCrossDomainMediaAuth

Some other useful methods

# Get your media URLs with token outside of view
mauth = CustomCrossDomainMediaAuth({'object': obj})
mauth.get_full_media_url(authorized=True)

# Send file via nginx internal redirect response
mauth.send_internal_file()

Nginx config

This is how an Nginx config could look like.

server {
    # Web server with session on domain
    listen              443 ssl http2;
    server_name         www.example.com;
    # ...

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;
        # etc...

        proxy_pass wsgi_server;
    }
}

server {
    # Media server with no session on domain

    listen 443 ssl http2;
    server_name media.example.org;
    # ...

    location /media/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;
        # etc...

        proxy_pass wsgi_server;
    }

    location /protected {
        internal;

        alias /var/www/media-root;
    }
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-crossdomainmedia-0.0.3.tar.gz (5.3 kB view hashes)

Uploaded Source

Built Distribution

django_crossdomainmedia-0.0.3-py2.py3-none-any.whl (6.9 kB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page