Schaken Posted September 27, 2022 Posted September 27, 2022 Hello. I am using a C# application I am creating, I am logged in via OAuth2. I am using the endpoint "/downloads/files/{id}/download" (Yes, it is enabled in the scope) This all works, it sends me a link to the file, the name and size, exactly it should. But the issue is there is no API to tell the site "Hey, I downloaded this" and not only that, but the link returned is https://XXXXXXXXXX.com/files/modupload/monthly_2022_09/1435978003_MyCustomPi-ChoENB_7z.ff0e2dd34912345d81fba665432e6208 which the link works. So, problem 1 is that file should be an archive, but instead it is... not... and second this does not have a key. Very unsecure. If this is intercepted, anyone can download this file at any point, they can also just right click the download in their browser and get the link, and now this file is public. Can we get a "generate download link" API? otherwise this is just too unsafe to use. The "Downloads" app is what my entire site is focused on, and this is how I make my living. Can the "Generated Download Link" have its correct file extension? If these features are already there somewhere and I am overlooking them, please let me know, or if anyone has any idea on how to achieve this?
Solution Marc Posted September 28, 2022 Solution Posted September 28, 2022 There is actually a key there. That link is specific to the user in which has requested the file. So there is no way in which to get that link without authentication. Only a link to it would be returned in any API. It's the application that calls it that would download it. So it your case you would be using WebClient to do this. So something like this (please note, this is outside the scope of support, so any issues would be for yourself to resolve using (var myWebClient = new WebClient()) { myWebClient.DownloadFile("theURLHere", "destinationFileNameHere.gz"); } With regard the extension, could I please ensure you are using the latest release of the platform? I have seen that issue on the front end which was resolved SeNioR- and Daniel F 2
Schaken Posted September 28, 2022 Author Posted September 28, 2022 7 hours ago, Marc Stridgen said: There is actually a key there. That link is specific to the user in which has requested the file. So there is no way in which to get that link without authentication. Only a link to it would be returned in any API. It's the application that calls it that would download it. So it your case you would be using WebClient to do this. So something like this (please note, this is outside the scope of support, so any issues would be for yourself to resolve using (var myWebClient = new WebClient()) { myWebClient.DownloadFile("theURLHere", "destinationFileNameHere.gz"); } With regard the extension, could I please ensure you are using the latest release of the platform? I have seen that issue on the front end which was resolved Hello! I was not expecting you to write out the C# code for me, thought you did, and I didn't even know that function existed, now I can do even better work and I really appreciate that! After playing with this and testing it (Works perfectly!), I am still at the same issue. I went to the Downloads page and clicked on "Who downloaded this" and my name is not there, and the download count did not change. I am using the OAuth2 so the system does know it is me downloading it. I am using the "Downloads Plus" 3rd party extension and i am up to date, except I am not using PHP8.0 yet doe to the "Downloads Plus" not being up to date yet. IF this is due to the PHP being old, then ill drop this and come back if it is still an issue when I update. But I am on the latest version of Invision. Also I marked this complete because you solved my security issue and my biggest concern. Though i would still need the system to register that I did download the file from the downloads app.
Marc Posted September 28, 2022 Posted September 28, 2022 While you have got a link to the item, unfortunately there isnt really any way to tell if the person has downloaded the item
Schaken Posted September 28, 2022 Author Posted September 28, 2022 Does it add to the "Downloaded X amount of times" count?
Marc Posted September 28, 2022 Posted September 28, 2022 I dont see how it would know it has actually been downloaded
Schaken Posted September 28, 2022 Author Posted September 28, 2022 That is what I was afraid of. I was actually messing with another websites API before my own, they had an API that would generate a link, and if you download it, they somehow seen it and updated the count. Pretty cool feature. I guess this is why I am having so much trouble with this API, just as it SHOULD be, each API is a whole different animal. Invision Community API is honestly Awesome, very detailed and does MANY cool things that I have not seen anywhere else, So I cannot complain. Thank you for your time. I seen a forum here somewhere for suggestions for improvements and ideas or something like that. I may just put this idea there. Thanks again @Marc Stridgen Once I am done with my tool, I am going to make a video of its use and send it to you. lol. You have been a big help.
Stuart Silvester Posted September 28, 2022 Posted September 28, 2022 Calling /downloads/files/{id}/download does increment the download count and stores a log of the download (if enabled), just like downloading via a browser would. -- Make sure the category is set to retain logs of downloaded files. If you're looking for better protection of files on disk for Downloads, I would recommend using something like Amazon S3 for storage. S3 supports signed URLs and does not allow direct access to files uploaded via Downloads. Marc 1
Schaken Posted September 28, 2022 Author Posted September 28, 2022 34 minutes ago, Stuart Silvester said: Calling /downloads/files/{id}/download does increment the download count and stores a log of the download (if enabled), just like downloading via a browser would. If you're looking for better protection of files on disk for Downloads, I would recommend using something like Amazon S3 for storage. S3 supports signed URLs and does not allow direct access to files uploaded via Downloads. Thanks for the info on the server. I use BunnyCDN because they are very cheap! They claim they will soon have S3 service, so I will give them some time to make that happen. @Stuart Silvester you are amazing! I just tested this (Thats why I am replying late) and this works! Thank you so much guys! You both just made my day! Marc and Stuart Silvester 2
Recommended Posts