-
Notifications
You must be signed in to change notification settings - Fork 0
Active Storage Endpoints
The rails default active storage endpoints for direct upload are open and only protected using an authenticity token. This behavior is lacky if you want to have more control about the permission to upload files.
ez-on-rails provides custom endpoints you can control the access to. This is esepcially useful if you want to upload files from some client using the API that does not have authennticity tokens.
To prevent the default endpoints from being used, the ezapp generator disables those by copying an initializer to your initializers directory. If you want to disable this behavior and make use of the default endpoints, just delete the file config/initializers/disable_active_storage_default_routes.rb or comment out its content. Additionaly the generator added routes to your config/routes.rb file for the default active storage endpoint. This is needed to be able to have already readable access to the files. The "dangerous" routes were commented out here. You are free to change the routes here, but normally this should not be necessray because with the new behavior you are able to create, delete and show file blobs. Refer to the rails repositoy to see the normally full available routes.
Those are the new available endpoints for uploading and destroying active storage attachments:
- POST api/active_storage/blobs/create_direct_upload - returns the information to upload a file to the storage service your application uses, this endpoint can be used like the default endpoint is used. The only difference here is that you need to authenticate using the authentication methods described on the API page
- DELETE api/active_storage/blobs/:signed_id - removes the blob having the signed_id. Like the direct upload creation method, you need to authenticate using the API methods
- POST ez_on_rails/active_storage/blobs/create_direct_upload - Can be used by the rails views to upload files like the default behavior. Used by the Dropzone that is rendered if you use the ez-on-rails forms
- DELETE ez_on_rails/active_storage/blobs/:signed_id - Can be used by the rails views to delete files. Used by the Dropzone that is rendered if you use the ez-on-rails forms
The access is restricted using the Permission System. Hence you just need to create the corresponding group accesses. The ezapp generator creates entries to restrict the access to members that must be signed in to your application. You are free to change those entry in the db/seeds.rb file.
If you use the active storage direct upload package you can use the new endpoints to authenticate against using the following example:
let upload = new ActiveStorage.DirectUpload(acceptedFile, toFullBackendUrl('api/active_storage/blobs'), {
directUploadWillCreateBlobWithXHR: (request: XMLHttpRequest) => {
const httpHeader:any = {
'Content-Type': 'application/json',
'Accept': 'application/json',
'api-version': ...,
'uid': ...,
'client': ...,
'token-type': ...,
'access-token': ...
};
Object.keys(httpHeader).forEach((key) => {
request.setRequestHeader(key, httpHeader[key])
})
request.upload.addEventListener("progress", onDirectUploadProgress);
}
});
upload.create((error, blob) => {
// if some error occurs, just print it to the console and do nothing else
if (error) {
console.log("Image Error:", error);
setUploadsInProgress(uploadsInProgress - 1)
}
else {
...
}
})
Don't forget to replace the api version and credentials here.