Skip to main content

Cross-Domain Media with authentication for Django

Project description

Cross-Domain Media with authentication for Django

The situation: You serve media files from a different domain than your main web application domain (good idea). You want to use nginx's internal redirect (X-Accel-Redirect) to authorize media file delivery.

The problem: You don't have access to the user's session on the media domain and can't authenticate or authorize media access.

The solution: You handle media URLs with an expiring token attached which temporarily authorizes access and can be refreshed via redirects when needed.

HTTP View

Here's how it works in HTTP:

  1. -> GET media.example.org/path/file.pdf
  2. <- 302 www.example.com/path/file.pdf
  3. -> GET www.example.com/path/file.pdf
    • if not authorized <- 403
    • if authorized <- 302 media.example.org/path/file.pdf?token=XYZ
  4. -> GET media.example.org/path/file.pdf?token=XYZ
  5. <- 200 file.pdf
  6. after expiry -> GET media.example.org/path/file.pdf?token=XYZ
  7. See step 2

Use in Django

# Development
MEDIA_URL = '/media/'

# Production

MEDIA_URL = 'https://media.example.org/media/
INTERNAL_MEDIA_PREFIX = '/protected/'
from crossdomainmedia import (
    CrossDomainMediaAuth, CrossDomainMediaMixin
)


class CustomCrossDomainMediaAuth(CrossDomainMediaAuth):
    '''
    Create your own custom CrossDomainMediaAuth class
    and implement at least these methods
    '''
    SITE_URL = 'https://www.example.com'

    def is_media_public(self):
        '''
        Determine if the media described by self.context
        needs authentication/authorization at all
        '''
        return self.context['object'].is_public

    def get_auth_url(self):
        '''
        Give URL path to authenticating view
        for the media described in context
        '''
        obj = self.context['object']
        raise reverse('view-name', kwargs={'pk': obj.pk})

    def get_media_file_path(self):
        '''
        Return the file path relative to MEDIA_ROOT
        '''
        obj = self.context['object']
        return obj.file.name


class CustomDetailView(CrossDomainMediaMixin, DetailView):
    '''
    Add the CrossDomainMediaMixin
    and set your custom media_auth_class
    '''
    media_auth_class = CustomCrossDomainMediaAuth

Some other useful methods

# Get your media URLs with token outside of view
mauth = CustomCrossDomainMediaAuth({'object': obj})
mauth.get_full_media_url(authorized=True)

# Send file via nginx internal redirect response
mauth.send_internal_file()

Nginx config

This is how an Nginx config could look like.

server {
    # Web server with session on domain
    listen              443 ssl http2;
    server_name         www.example.com;
    # ...

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;
        # etc...

        proxy_pass wsgi_server;
    }
}

server {
    # Media server with no session on domain

    listen 443 ssl http2;
    server_name media.example.org;
    # ...

    location /media/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;
        # etc...

        proxy_pass wsgi_server;
    }

    location /protected {
        internal;

        alias /var/www/media-root;
    }
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-crossdomainmedia-0.0.4.tar.gz (7.2 kB view details)

Uploaded Source

Built Distribution

django_crossdomainmedia-0.0.4-py2.py3-none-any.whl (6.9 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file django-crossdomainmedia-0.0.4.tar.gz.

File metadata

File hashes

Hashes for django-crossdomainmedia-0.0.4.tar.gz
Algorithm Hash digest
SHA256 71265b33804d631da3ce7e5e8c960c50b6dcca5859bce6f3b777269ee751d605
MD5 2865a65c1fdf40ef5d2ce61b00a4f71e
BLAKE2b-256 cbd6ad536efc64d6f0b9e844bebe0f7c2c4ef20427033610b9a2e2611e341441

See more details on using hashes here.

File details

Details for the file django_crossdomainmedia-0.0.4-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for django_crossdomainmedia-0.0.4-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 e8c487511353d92a04fc050e887bf9dff1638432339c2eb6b0bef32b3e53593f
MD5 6849045a5dee6f478f7fa0fad22624ca
BLAKE2b-256 c4ba23f98509211657c1f7924458830d5bc4f28723f846df58c937ee6c5b2976

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page