Build secure download server

Created by: deepakduggirala

Secure Download Server New UI based on Google Drive

Permission data - postgres app database - app.sca.iu.edu Actual files - scratch - colo node

Option 1: hosted on colo23 Authenticate users Resolve permissions by talking to API for a particular app App Api should have a consistent route for resolving permissions - 200 OK / 403 Forbidden Resolve the project_uuid to a path on scratch - 2 options hardcoded + symlink api call which will respond with actual path on scratch NGINX x-accel header / sends file / UI javascript initiates browser download

Pros: Common UI for all apps Cons: It needs to know which app to talk to via url / app hostnames / scratch configs Extra auth for service-to-service

Option 2: Bundle this file tree UI with apps (import component) Construct a file tree from postgres dataset_files table There is no extra api to resolve permissions and file paths User clicks on a file to download - API will create a token + URL - UI will make a CORS request to NGINX API (nginx + express api) hosted on colo23 File: /abc/123.fastq.gz Token will have the URL - asd12412sad/abc/123.fastq.gz Token expiry time - 1 minute Sign with its private key Public key id The nginx api on colo23 validates the token (with public key) - serves that file Nginx: Resource server / resource owner

Oauth2.0 Authz server - ory Hydra Flow - client credentials oauth2.0

Pros: App API driven - no overhead on permissions and path resolutions Stats on who downloaded what Constraint: File tree is static Allows searching for files without staging Allows staging individual files from a given archive

Pros (for both): User level permissions on project downloads Revoke permission - applies immediately Multi modal authentication - IU, google, apple Cons (for both): No wget