Token load hierarchy¶
Authorization can be provided in multiple ways, including query string, headers and environment variables. To build a perfect setup it is necessary to know, how the File Repository is fetching the token value, which source is in priority.
It’s a top list, first match wins.
- _token in query string eg. ?_token=xyz is used
- token header
- x-auth-token header
- FILE_REPOSITORY_TOKEN environment variable
Use cases: Static assets serving¶
Best practice is to have each file, each collection secured with a token. You can generate a viewer token, and set it as an environment variable on given endpoints, or on whole application.
Using NGINX, Apache 2 or other webserver you can deny access to some routes, on other routes set a default access token - by enforcing a header or environment variable. The webserver proxies also gives a possibility to strip out request data, for example the headers and query string parts.