Provides access to private files and images by injecting authentication token with a timestamp into their urls. Such a token will be validated when such url is accessed and in case of successful validation the access will be granted. Token is valid for certain period of time.

The intended use case is for decoupled sites which relies on non-cookie authentication. For example when the site uses JWT header authentication. Without a cookie the private files or images cannot be accessed because no form of authentication has been provided (the cookie is missing). This module solves this problem by introducing authentication via token, which is valid for a configurable amount of time.

Example of a private image url containing authentication token and timestamp:

https://example.site/system/files/styles/thumbnail/private/resume/photo/profile_image.png?token=rEezZ9fNlupFtiWb98lJlwct4jFz96987uJovl_c_Zs&timestamp=1605024462&itok=NxuIebsw

Token will be validated along with the timestamp and the path part of the image url. Parameter itok still exists in the url as it is required by Drupal to actually generate image style of the image.

Supporting organizations: 
jobiqo - job board technology
Full development

Project information

  • caution Minimally maintained
    Maintainers monitor issues, but fast responses are not guaranteed.
  • caution Maintenance fixes only
    Considered feature-complete by its maintainers.
  • Module categories: Access Control
  • chart icon99 sites report using this module
  • Created by hideaway on , updated
  • shieldStable releases for this project are covered by the security advisory policy.
    Look for the shield icon below.

Releases

1.0.0 Stable release covered by the Drupal Security Team released 26 September 2023
Works with Drupal: ^9 || ^10
✓ Recommended by the project’s maintainer.
Install:

Development version: 1.x-dev updated 22 Dec 2020 at 09:22 UTC

Using Composer to manage Drupal site dependencies