Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to serve a download of a file which is protected via HTTP authentication

Tags:

javascript

html

jquery

ajax

On a server I have several files which are protected via HTTP authentication.

Now I want to create download buttons on my HTML page to download these files. I already read that downloading a file via JavaScript/AJAX isn't possible due to security reasons. See this question.

Furthermore via an "normal" download link/button like this: <a href="..." download> it isn't possible to set the HTTP Header to provide HTTP authentication.

Is there any possibility to make a download button/link to a file with HTTP Basic authentication.

Furthermore to give a little bit more detail about my usecase, I don't want to use sessions.

like image 493
d4rty Avatar asked Nov 01 '25 12:11

d4rty

2 Answers

You can try the username:password syntax in the url:

<a href="username:[email protected]/file.zip">Download</a>

However, do note that browser manufacturers have started removing support for this for security reasons. IE and Chrome no longer support it.

Workaround

As a work-around, you can make the request on your server instead of directly from the HTML in the browser. Just write a simple script that accept a request and fetches the password protected file.

Here's a simple node.js example using express and request:

var express = require('express');
var request = require('request');
var app = express();

app.get('remote-file',function(req,res){
    request.get('username:[email protected]/file.zip').pipe(res);
});

app.listen(80);

Yes, the request module supports username:password syntax.

like image 178
slebetman Avatar answered Nov 03 '25 02:11

slebetman

I had the same problem, the only difference is I used JWT for authentication.

However the principle still applies. You say you don't want to use sessions so this makes me think you have access to the backend.

What you can do is make a route (/generate-token) protected with auth. Here you create a token toghether with it's creation time and the requested file. Then you will have another route (/download-file/{token}), where you do the actual download based on the provided token. Notice that the second route is not auth protected.

The token can be used a single time, and only avaible for a limited number of minutes for better security.

By implementing this approach you will additionally need a table in the database and maybe a cron to regularly delete unused and expired tokens.

like image 34
GabrielVasile Avatar answered Nov 03 '25 03:11

GabrielVasile
Sign in to Comment

Related questions

Why are repeated case labels in a switch block allowed in JavaScript?
how do i trigger onMouseEnter for elements behind other elements
How to change Azure text to speech silence timeout in JavaScript
Insert <br /> in a String in Javascript
UI elements freeze despite webworker
Redux save store as global variable on React app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!