Docs: Private Media

To provide private media access, we have implemented a proxy_pass configuration in media_nginx. This setup ensures that media files under the path /media/private are accessed only after proper validation through Nginx.

To enable this feature, simply uncomment the nginx_media configuration:

location ^~ /media/private/ {
  auth_request /_auth;
  alias /app/media/private;  # Ensure no trailing slash here if the path needs to be exact
}
 
location = /_auth {
    internal;
    proxy_pass              http://bob-api:80/api/auth/media-validation/;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
    proxy_set_header Host            $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

Every time a request is made for any media under the /media/private path, a call is made to the BOB API at http://bob-api:80/api/auth/media-validation/.

Both the token and path are passed to determine whether the resource can be accessed by the user. You can implement your business logic for this validation in the auth_router:

@auth_router.get('/media-validation/', response={200: MessageOut, 400: ApiExceptionOut},
                 tags=["auth"], summary="Validates whether the user has access to certain media.")
async def validate_media_access(request):
    """
    Validates user access to the media.
    Media are served through Nginx.
    Each attempt to access /media/private
    is proxy passed to this endpoint.
    This way you can validate media access for specific users.
    For security reasons, it returns a strict 403 by default,
    ensuring that media is not served by Nginx without authorization.
    """
    return 403, {
        "message": "Permission denied"
    }

This configuration ensures that media access remains secure, with Nginx proxying requests to your API for validation. You can customize the business logic in the auth_router to meet your specific needs.