Friday, August 8, 2008

Download Managers

It has come to my attention that download managers suck. The reason is that they do not have an easy way (ie: API) that they all agree on that websites can implement in order to authenticate users to download content from a CDN in a secure way.

We use a CDN that allows us to create a token which we pass to the CDN in a cookie or url. The CDN authenticates that token and provides access to any request that contains that token. The token is simple, it is a md5 hash with a shared secret, future expiration time and a path to match against. It looks something like this: MD5(mySecret/content/protected.ext?e=1182665958). The url to download the content then looks like this: /content/protected.ext?e=1182665958&h=886dbef7390dfd70aea27fd41e459e7f. Everything after the ? can either be put into a cookie or passed on the query string as described above.

Now, the problem with download managers is that you can't easily script the generation of those tokens. So, anyone using a download manager has to hit the site, grab the cookie and then put the cookie into the download manager along with the urls. This is a royal pain in the ass.

If download managers supported a RESTful api such as:

Then, when I receive a request like the one above, all I would need to do is authenticate the user, check to make sure they are allowed access to that path and return a token. If the download manager gets back a 403 Forbidden, then the token probably expired and the download manager could then just request a new token.

I would be more than happy to implement something like that.

p.s. Kink has a system called Warden that implements a token based authentication scheme similar to the one above but works independent of a CDN that we will be making open source as soon as I have some free time to put it up online.

No comments: