Wasabi plug-in private images

richiejim · March 16, 2023, 8:06am

Hi.
I recently purchased the zeroqode wasabi plug-in. My bubble app allows users to upload images. These now go to Wasabi S3 thanks to this plug-in. The issue is these images must be private and only accessible to my app. The plug-in suggests using AWS referer which I have tested and it works but I’m concerned that this isn’t very secure. Does anyone know if this plug-in can retrieve and display a private image via the API or if there are any other ways of doing this? Many thanks

Serg · March 16, 2023, 10:30am

Hi @richiejim, thanks for reaching out and for your question.

Please check the plugin supporting documentation, where we mentioned two cases that can be set to limit access to the stored content: Wasabi Cloud Storage

Hope this helps. If there will be any other questions about our plugin, please let me know.

Regards,

richiejim · March 16, 2023, 11:09am

Thanks @Serg. The trouble is both of the use cases in the documentation use a referer as the main policy method of allowing or denying. Referers can be easily spoofed. I know that the pre signed url would allow access to a private object but I just want these images to display to the users of my app all of the time while not being accessed by someone over the internet with a little bit of knowledge on how to spoof a referer. It’s a shame this plug-in doesn’t come with an element that can preview an image somehow using the api.
Cheers

Serg · March 16, 2023, 3:21pm

@richiejim sorry that our plugin doesn’t comply with your expectations.

If an image is stored in Wasabi Cloud in private mode, regretfully it can not be retrieved to display, as access to the file is denied.

If there will be any other questions about our plugin that I can help with, please let me know.

Regards,

Serg · March 20, 2023, 12:22pm

Hi @richiejim,

We’ve noticed your review on the plugin’s marketplace page, and after an additional check, I would like to share the developer team feedback:

By using the examples of bucket policies shared in supporting documentation, there is no way to access the files outside of the specified domain, unless the API keys of the bucket owner are publicly available. Any attempt to access an image outside of the specified domain, even by using any fraudulent tools - would end in an error.

Thus, we would be grateful if you may consider this reason and change your plugin review, which is available on the marketplace page.

Please let me know your decision and drop me a message if there are any other questions that I can help with about our plugin.

Regards,