Verify valid user across multiple servers

Hey everyone.

I’ve just recently started building a small web application for a bit of fun and I am just now wondering what would be the best way to approach something I’m about to work on, so if anybody has any good ideas, I’d really appreciate it! :slight_smile:

Currently, my front facing server contains an area where users can access a form to upload files to their account and for this I’ve set up a handler where my front facing server handles the upload request and chooses one of the backend storage servers I’ve created and then forwards the request to the chosen server via a rest api on the backend server (http://…/users/username/upload/ ), which goes and stores the user’s files.

What I’m actually wondering now, is what would be a good solution to making it easy for the backend storage servers to verify information about the user making the request.

I was maybe thinking about storing sessions in a centralized database and having the storage server verify the ip address of the request, to make sure that that the ip address matches the logged in user for that session. I just want to be able to make sure someone can’t upload files to a user’s account by sending a post request directly to the storage servers api.

I think the best way would be to use JSON web tokens. With JSON web tokens you wont need to store sessions on your server for the purpose of authentication.

Hey @sadick, yeah JWT’s are pretty good for that stuff.

Back then I was just building an application for a bit of fun and was implementing some of my own distributed simple storage servers.

If I remember correctly, I ended up using something like sessions, csrf protection and ip whitelisting for uploading to the server and then signed urls for retrieval, which was more than enough for what I wanted in the end :stuck_out_tongue:

I would probably just use something like minio-go if I needed the same functionality for a non-toy application nowadays.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.