Download file security

[Maxou44]

Since the 2.0, the load balancer serves media files itseft, but Plex tokens aren't checked, it could be nice to check token if provided and use a generated unique token when the laod balancer generate download links

[afdah]

@Maxou44 , what do you think about the below proposal?

Current process flow by loadbalancer for download urls
if CUSTOM_DOWNLOAD_FORWARD,

1. redirect 307 to transcoder
   else loadbalancer
2. process the download

Current process flow by transcoder for download urls

1. process the download

Propose process flow by loadbalancer for download urls
if CUSTOM_DOWNLOAD_FORWARD,

1. redirect 307 to transcoder. token is not check here. token will be check at transcoder end
   else loadbalancer
2. check if token is valid
3. if valid, process the download

Propose process flow by transcoder for download urls

1. check if token is valid
2. if valid, process the download

Now the checking of token can only be done by making a http request to plex media server
With the original download request, we need to re-create either a HEAD request or GET request with byte range of 1024 bytes to plex media server and check the response. We do not want to forward the original download request to PMS.
A 401 response means invalid token.