[Problem/Question]
The value require_auth=true is not applied when sending a file message via the Send message API in the Platform API.
Q1. Do I need to enable something like security settings in the dashboard to use the require_auth property?
Q2. I tested it on a group channel, is it possible for the require_auth property to work on a group channel?
Q3. I can’t set require_auth=true when sending a file message with Android SDK?
[Reproduction Steps]
API : https://api-{application_id}.sendbird.com/v3/group_channels/sendbird_group_channel_{numbers}/messages
Header : “Api-Token” : “{api_token}”
Form data : “file” : {file}, “user_id” : “{user_id}”, “require_auth” : “true”, “message_type” : “FILE”, …
Method : Post
I sent a file message via the Send message API of the Platform API. I set require_auth to true.
However, in the JSON object I received as a response, the value of require_auth was false.
The value in the file.url was also a URL that did not contain the auth={key} parameter.
Setting require_auth is only applicable to messages not hosted by Sendbird. If you’re uploading a file to us, we’ll utilize an internal attribute for your application. Additionally, if a file message did have require_auth as true, the Platform API would NOT return an authenticated URL. It would only return the base URL.
Q. When you say “we’ll utilize an internal attribute for your application” in your answer, does this mean that encryption is possible through the Android SDK settings?
There is an all or nothing approach to file authentication. If you’d like to have all files require auth, let me know and I’ll get your Application ID and enable it. Then all file messages, regardless of whether they’re sent via Platform API or SDK will require auth.
As mentioned in my original response, the require_auth parameter is only used when you’re sending a pre-uploaded file, aka via a URL. It is not something you can toggle on and off per file on files Sendbird hosts.
Thanks to you, I realized that I can’t apply the file encryption feature to individual file messages. And that if we want to apply the encryption feature to all file messages, we have to request it directly from Sendbird.
Our current situation is that even after the file encryption feature is enabled, we still need to be able to access all files from our service admin page, because we need to determine if the images in the reported messages are worthy of a report.
Q. Is there any way to make all files accessible even after the file encryption feature is enabled?
If you’re looking to access the file from a backend application, you can pass the un-authenticated URL with the same Api-Token header you’d pass for a Platform API call and it will redirect you to the authenticated URL.
I’m reaching out to you again because something you answered isn’t quite what I expected.
I used the Platform api to send a file message.
I put a URL hosted elsewhere in the “files” parameter. The message was sent and the “url” in the message contained “{url hosted elsewhere}&auth={auth_code}”. Since it contained a “url” hosted elsewhere, the auth parameter seemed meaningless.
Q. When I put a URL hosted elsewhere in a file message, isn’t the file corresponding to that URL uploaded to the Sendbird server, and the URL of the file uploaded to Sendbird is included in the message?
Q. We need to make the file URL of a specific file message inaccessible after a certain amount of time, even if it is exposed. Is there any way to enforce this requirement?
A: No, we do not copy the file that is hosted elsewhere to our servers. We explicitly do this so that customers who wish to host file data exclusively on their own side, can do so without issue. Additionally, re-hosting could cause extra data charges to you.
A: The signed URL that includes the auth parameter, is only valid for 5 minutes. So if you were to save a signed URL, it would be invalidated after 5 minutes.
However, it didn’t completely clear things up, so I’m asking again.
A: No, we do not copy the file that is hosted elsewhere to our servers. We explicitly do this so that customers who wish to host file data exclusively on their own side, can do so without issue. Additionally, re-hosting could cause extra data charges to you.
→ Q. Does this mean that when sending a file message using the Platform API, there is no point in putting a URL hosted elsewhere in the files parameter and setting require_auth=true? If I remove the auth parameter from the url in the message, it will end up being a url that is always accessible. Am I understanding this correctly?
A: The signed URL that includes the auth parameter, is only valid for 5 minutes. So if you were to save a signed URL, it would be invalidated after 5 minutes.
→ Q. After the encryption feature is enabled on the Sendbird side, all file messages are encrypted and the file message contains a signed URL with the auth parameter. If this is correct, does this mean that the signed URL without the auth parameter will become inaccessible after 5 minutes?
Q. We want to encrypt only some of the file messages, not all of them, to prevent access to the file URLs. Is this possible?
Q. Does this mean that when sending a file message using the Platform API, there is no point in putting a URL hosted elsewhere in the files parameter and setting require_auth=true? If I remove the auth parameter from the url in the message, it will end up being a url that is always accessible. Am I understanding this correctly?
I think this ultimately depends on your implementations file storage strategy. If you pass in a URL to the File Message, that does mean that you can access it by removing the ?auth parameter, assuming the files current hosting solution does not require authentication. If you wanted to rely on Sendbird to host the files and control access, you shouldn’t be passing us URLs but the actual file. Sendbird is not responsible for authentication on files that are not hosted by us.
In terms of you seeing non-Sendbird related URLs having the ?auth parameter, I believe this is the SDK assuming the file is hosted by Sendbird. The SDK will look at the require_auth value of the file and create the signed url. We can probably do better here long term. That being said, the Platform API will never pass the auth url back when fetching messages.
Q: After the encryption feature is enabled on the Sendbird side, all file messages are encrypted and the file message contains a signed URL with the auth parameter. If this is correct, does this mean that the signed URL without the auth parameter will become inaccessible after 5 minutes?
File authentication is not retroactive. Meaning that any messages sent prior to the authentication being enabled will still not require authentication. Again, these are only for messages where Sendbird is hosting the actual file.
The ?auth parameter is not what expires. Essentially what happens is when you access the url like https://file-us-3.sendbird.com/XXXXXX?auth=1234 is you’re making an API call to Sendbird to determine if you should be able to access the requested file. If you are able to, we create a pre-signed URL and redirect you an authenticated S3 URL like such:
Q: We want to encrypt only some of the file messages, not all of them, to prevent access to the file URLs. Is this possible?
As mentioned previously we do not provide the ability to selectively apply authentication only certain messages. I think it makes sense to apply authentication to them all and then just fetch them as needed. Otherwise, the files may be better stored in your own database/storage solution where you have more finite control over the authentication applied to them.
Thank you so much for your detailed explanation. It’s really helping me a lot.
I’m embarrassed to say that you answered my question in such detail, but I’d like to ask more questions.
Q. Is it true that the URL of an encrypted file message, i.e. the URL containing the auth parameter, is always valid for 3 days? It is my understanding that the value of the auth parameter changes each time a session is logged in. For example, assuming the signed URL of the file message was https://file-us-3.sendbird.com/XXXXXX?auth=1234, I was wondering if the signed URL would change to something like https://file-us-3.sendbird.com/XXXXXX?auth=6789 when the session is newly logged in, and the old https://file-us-3.sendbird.com/XXXXXX?auth=1234 would become invalid.
Q. Before requesting a file encryption feature from the Sendbird side, is there any way to test how it will behave when applied and if it will work for our app?
Apologies, I appear to have missed your last response.
Q. Is it true that the URL of an encrypted file message, i.e. the URL containing the auth parameter, is always valid for 3 days? It is my understanding that the value of the auth parameter changes each time a session is logged in. For example, assuming the signed URL of the file message was https://file-us-3.sendbird.com/XXXXXX?auth=1234 , I was wondering if the signed URL would change to something like https://file-us-3.sendbird.com/XXXXXX?auth=6789 when the session is newly logged in, and the old https://file-us-3.sendbird.com/XXXXXX?auth=1234 would become invalid.
A. I’m unsure where the three days came from. The auth token is specific to an individual user and so it shouldn’t be stored. The SDK will regenerate it every time it’s fetched by that user.
Q. Before requesting a file encryption feature from the Sendbird side, is there any way to test how it will behave when applied and if it will work for our app?
A. You can request we enable it on a staging or development application within your organization.
