Is it possible or planning to prevent hotlinking? I am building a site that sells training videos, and it is not very good if everyone can just copy the link to the video and download it.
I heard there is a "query string authentication" or something like that. Or maybe the download could be passed through the module to allow controlling the access by other modules.

Comments

Aracon’s picture

Excuse me, of course not "copy the link to the video and download it", but "copy the link to the video and publish it on another site, so anyone can download it".

justafish’s picture

Project: Media: Amazon » AmazonS3
Version: 7.x-1.0-beta3 » 7.x-1.0-beta4
rfay’s picture

Title: How to prevent hotlinking? » Implement authenticated links (and torrent links... and force download header)
Version: 7.x-1.0-beta4 » 7.x-1.x-dev
Category: support » feature
Status: Active » Needs review
StatusFileSize
new45.13 KB
new6.93 KB

The attached patch allows AmazonS3 to take advantage of a number of S3 features, including:

* Authenticated links (links with a timeout). You can specify how long a link will be valid.
* Torrent links. Rather than a straight HTTP download, a torrent is provided instead
* Forcing save-as (forcing download). The Content-disposition HTTP header is used to force the browser to try to save the file.

In addition, a new hook, hook_amazons3_url_info() is exposed to allow other modules to participate in setting the features above. For example, authenticated links can be required for some users, some not; Forcing save-as can be done for some filetypes and not others.

Here is the revised configuration page:
rfay_dell_gazelle_Selection_039.png

rfay’s picture

justafish’s picture

StatusFileSize
new4.83 KB

This kind of configuration would be better as part of the individual file fields so we don't have weird situations such as aggregated CSS being delivered via torrent. Here's a half-finished patch which illustrates the configuration form part of it.

justafish’s picture

StatusFileSize
new3.58 KB

oops, ignore that last function

justafish’s picture

Status: Needs review » Needs work

The only way I can think of doing this is using hook_file_url_alter, then checking whether the URI is in use by a field and whether it has any special settings and then some kind of nasty hack to pass it to getExternalURL()

So I'm thinking that although this would be nicer from a UI perspective to be in the field configuration, it's not very practical and will cause a fair bit of unnecessary overhead. So rfay's patch is much more useful than mine ;)

What I would like to see on it though, is instead of radio buttons for Torrent/HTTP is a path configuration textarea for which URLs should be delivered that way. Also a warning that the pre-signed URL needs to have a longer timeout that the anonymous page cache otherwise we'll get some weirdness.

keva’s picture

Applied the patch in #3 to the September 1, 2011 dev release. (which meant applying the first hunk to line 116 of AmazonS3StreamWrapper.inc instead of 66; the other hunks appeared to work automatically)

settings:
correct bucket name used
HTTP checked
Only "Create presigned authenticated URL with timeout" is checked

when I edit or add a node with a Video Upload field, get these notices:

Notice: Undefined index: use_presigned_url in AmazonS3StreamWrapper->getExternalUrl() (line 132 of .../sites/all/modules/amazons3/AmazonS3StreamWrapper.inc).

Notice: Undefined index: download_type in AmazonS3StreamWrapper->getExternalUrl() (line 136 of .../sites/all/modules/amazons3/AmazonS3StreamWrapper.inc).

Notice: Undefined index: response in AmazonS3StreamWrapper->getExternalUrl() (line 137 of .../sites/all/modules/amazons3/AmazonS3StreamWrapper.inc).

Perhaps this was due to creative patching? If so, is it possible to re-roll the patch for the latest dev?

Also, the project shortname changed some time between the patch in #3 and the 9/1/11 dev release.
If that affects anything.

justafish’s picture

Component: Miscellaneous » Code
Assigned: Unassigned » justafish
Status: Needs work » Needs review
StatusFileSize
new7 KB

Patch attached.

I've commented out chmod functionality, it was setting the ACL on objects but since we're going to want to use presigned URLs I'm not sure that's such a good idea.

justafish’s picture

StatusFileSize
new1.33 KB

+ api doc

justafish’s picture

Status: Needs review » Closed (fixed)

committed.