Hi. I recently found that my files added to a file field in the database are accessible without authentication. Can I do anything to ensure that Baserow requires authentication for access to uploaded files?
Hey @patrick, you can set up authentication using Baserow’s Application Builder. Here’s a tutorial video showing how: https://youtu.be/SRBOZhgz1qs?si=_PPIxEPHthdo26_U.
Would this work for your use case?
Hi. Thanks for the suggestion - I’m familiar with authentication using the application builder. However, I can’t see that the application builder will prevent direct access to the file using the AWS URL (https://baserow-backend-productionxxxxxxxx.s3.amazonaws.com/user-files/xxxxx) without authentication?
The files uploaded to Baserow are indeed publicly accessible. The generated URL will always be unique and can’t be guessed. We’ve implemented it this way because Baserow is not depending on one specific way of serving static files, so wanted it to stay as close as possible to simple static file serving.
If you’re self-hosting, then we do have the option of serving the files in a more secure way (Secure File Serving) where you need to be logged in to download it. However, this does come at a performance cost.
As self-hoster, if you’re using S3, it’s also possible to enable an expiration time of the URL. We don’t want to enable it in our hosted environment because it makes it would make exposing files via the API more difficult.
Ok! Would you be willing to add the possibility to activate authentication for file access as a suggestion for future updates for the hosted version? In my view, this currently limits many use cases for Baserow, as I can’t add any file containing personal information.
This is not something we can activate on the hosted version of Baserow, unfortunately. The performance cost would be too big because the files are served via the application. It will also break some other features like serving files via the API, and files in publicly shared views and applications.