Advice Please: FileServer Limit Access only to server side

I have MySQL database - 3 tables

  1. session table containing: id seq, email, UUID, lastUpdate (timestamp for refreshing session)
  2. users-data table containing: id seq, email, encrypted pass, firstname, lastname, age, favorite drink
  3. user_images table containing: id seq, email, image_path

Users are able to signup, login (with a HttpOnly session cookie), and upload images (1 at a time for now)
All user images are stored in dir: user_images on server File System while the file paths are stored in DB. When an user signs up, a new dir is created using their user_data table id e.g. user_id_6 inside user_images dir and subsequent image uploads are placed inside this dir.

When an user successfully logs in, they are directed to the info page and I wish to display all of their images in succession. I get the paths from the DB, and then put it in string slice, pass it to an html page

In the html template, I range over this slice and set an image for a list of images

Now there are 2 problems that I would appreciate any advice/help:

  1. the src attribute string has “” escaped and becomes something like src=“user_images%5cuser_id_6%5cdog.jpg”
    Is there any way to prevent the escaping of the forward slashes? How to go about dynamically setting the src attribute of the image tag in Go?

  2. The files themselves are inaccessible via paths unless they are hosted on a http.FileServer
    Is there a way to either:
    a. only server can access the served files and no one outside connected can access them so that I can serve the entire user_images dir and pick the right images to serve or
    b. add authentication to the file server so the user with valid session can only access the images in the corresponding dir (to their user_id) but no one else’s


  1. %5c is the encoding for a backslash, not a forward slash. URLs don’t separate path components with backslashes, so I don’t know if this will work for you or not, but the StackOverflow answer here seems to answer your question on how to stop escaping slashes:

  2. You might not be able to do this with FileServer (maybe you could with a wrapper?), but I don’t see anything stopping you from implementing this yourself. You could have some server-side state that maps valid session IDs to allowed directories and if a request comes in without a valid user session ID, don’t display any images.

A friend told me I can use template.URL to prevent escaping. The backslash is bc im on windows and using filepath.join.

Could you please provide some example code for mapping session id to allowed files? Im new to Go and completely lost on where to start. Any links to an article or open source project would be appreciated.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.