1

I'm using the express-jwt module on my node.js server to authorize users access to different requests. One of the request will ultimately be a file download with express res.download(file).

The problem is that I can't do the request as I would usually do via AJAX (angular $http.get), as this will not trigger the required file download popup in the browser. Without AJAX though (window.open), I can't provide the necessary authorization header for express-jwt.

Any hint on how I can achieve my authorized file download from node.js with express and jwt-express?

jimmy
  • 3,481
  • 3
  • 16
  • 27
  • I did something similar not long ago and simply using the onClick with a window.open it triggered the download of the file a NodeJS Express server. What is happening if you try yourself ? – sam Dec 11 '14 at 16:31
  • the problem is that I need to add a token (jwt) to the header as the download is protected. – jimmy Dec 11 '14 at 16:33
  • this may contain your answer. It seems to use the XhtmlRequest to dowenload the file with a custom header http://stackoverflow.com/questions/10516463/request-a-file-with-a-custom-header?answertab=active#tab-top – sam Dec 11 '14 at 16:36
  • As I stated above I can't use Ajax, as that won't work for file downloads due to the browser 'save as' dialog not showing. – jimmy Dec 11 '14 at 16:43
  • 1
    Don't quote me on security here. But google api uses tokens as query string params to do something similar... You might reserch more towards that approach. Otherwise I don't know any other way besides cookie authentification – Max Dec 11 '14 at 16:47

1 Answers1

3

A possible solution would be to modify your server side to expect something in the header like before, but in case of absence of this header to look into the parameters of the request to see if the value you are looking for is not there instead. It would not change your previous behavior for the other endpoints but it would allow you to download the file with a window.open and a parameter in the url. You can also limit this possibility to the endpoints giving access to files for more security.

sam
  • 3,073
  • 2
  • 27
  • 39