File: README — Documentation for mongrel_crypted

Mongrel_crypted_download GemPlugin

IMPORTANT!! Required encrypted_strings plugin agilewebdevelopment.com/plugins/encrypted_strings

The need to send secured files in a fast and reliable way is common.

Sending a file from inside of a web application can be slow and also utilizes an entire application thread/process until the user is done downloading the file. Also is crypt path by encrypted_strings plugin agilewebdevelopment.com/plugins/encrypted_strings

<uri-prefix> is a directory that does not exist in the directory structure of the application but does exist in the directory structure of the server. example: /download_file

<relative-path> is the crypted by encrypted_strings plugin path to the file. example: /public/attachments/

<file-name> is the name of file without path.

<timestamp> is the number of seconds since epoch until the time when this download expires example (in ruby on rails): 1.minute.from_now.to_i.to_s

<token> is the SHA1 hash of the concatenation of the following items:

To use the plugin you need to do the following:

1) setup the handler within a configuration script and pass in the secret string.

example configuration script:

uri “/download_file”, :handler => plugin(‘/handlers/crypteddownload’)

2) In your application, form a secured URI by creating the proper parameters and perform an SHA1 hash of the parameters to create the proper token

example code (ruby on rails): @track = Track.find(params) @attachment = Attachment.find(params)

url = CryptedDownload.generate(@attachment.filename, “/public”[email protected]_filename.gsub(/#@[email protected]/, ”), “/download_files”, request)

redirect_to url

3) Start mongel by passing in the location of the configuration script from step 1 with the -S command line switch

example:

mongrel_rails start -S config/mongrel_crypted_download.conf

Error messages

If any of the parameters in the URI or the secret_string are missing the handler returns a 500 Application Error.

If the token passed in as a parameter does not match the token generated by the handler (if someone tries to guess the token) the handler returns a 403 Forbidden error.

If the timestamp is earlier than the current server time, meaning that the file is no longer a valid download then the handler returns a 408 Request Time-out Error. This error is not technically correct but it makes the most sense in the context of the handler.