JWT prevents hot linking to your media
Imagine you have some media files published (static http(s) links) on your website for targeted customers, which have been very popular recently. Other sites (search engine) started finding links of your media and putting it on their websites or people started sharing your media links with others. Suddenly you see surge of download on your website, costing your bandwidth.
To avoid this situation, one approach could be to sign media URLs when clients ask for it and give temporary access to private resources without requiring additional authorization. A signed URL can be used by anyone who has it, so to minimize the risk of a signed URL being shared, set it to expire as soon as possible.
In Windows Azure this feature is called Shared Access Signature(SAS) and in AWS, we call it “Signed Url”
How URLs are signed — Using JWT
JSON Web Tokens (JWT) are a compact, self-contained way for securely transmitting information and represent claims between parties as a JSON object. JWT consists 3 components: Header, Payload, and Signature delimited by a.(period) character. More details
JWTs can also be signed using a secret (with HMAC algorithm) OR a public/private key pair using RSA.
Express Media Server — hosts media related APIs
When client makes API call (http(s)://…/api/mediadetail/{1}) to request media file path, the MediaController - uses uriTokenizer (based on JsonWebToken) module creates temporary JWT (has limited expiry time — ex. 3 seconds) and append it with media Url and publish it to client.
Also route to path (/file) is protected with uriTokenizer.verifyUriRequest middle-ware.
Media route controller — “/api/mediadetail”
Fetches media results from db and build signed media url.
A typical JWT singed url looks like
https://domain/file/../nodejs.mp3?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI1MWQ4NGFjMS1kYjMxLTRjM2ItOTQwOS1lNjMwZWJiYjgzZGYiLCJ1c2VybmFtZSI6Imh1bnRlcjIiLCJzY29wZXMiOlsicmVwbzpyZWFkIiwiZ2lzdDp3cml0ZSJdLCJpc3MiOiIxNDUyMzQzMzcyIiwiZXhwIjoiMTQ1MjM0OTM3MiJ9.cS5KkPxtEJ9eonvsGvJBZFIamDnJA7gSz3HZBWv6S1Q
When client accesses media files, using signed URLs. Each access to a media file triggers token validation by the middle-ware on server . If a token is present, valid & not expired, access to the media file is granted or client receives 403 http error.
This mechanism prevents user from opening the static media URL without the access of a token. Even though if someone copies a short lived token, there is subtle chance of reusing it.
If you like this post, please click on the 👏 to give me some hurrah.
Stay tune for the next blog post on one time download link.
