Facing product download dilemma/issues

ustk

Hey guys,
I am setting up my system so my (future) customers can download their products using my manager app.
All is good and works on the app side, but... I have some questions about security, especially the kind of attack using a script to download your stuff hundreds of time and shut down your site (and also php injection).

• I created a download folder in the website's root called, yep, downloads and place my products in that folder (as well as some release info, etc...). I give my wordpress product the link, and all is good and working from the manager app. But this approach seems risky to me as there's no verifications like bearer token, etc... So first question, am I right to assume this?

• The other approach I am trying is to place the product in the WP Media library, and, since this directory (.../wp-content/uploads/woocommerce_uploads/...) is natively protected against all kind of attacks, it feels safer to me (hey guys, pardon me, I have no knowledge in web dev). But then with this approach, the manager app can't download the product from this link, obviously. Second question, is there a way to use a header of some kind (like the JWT token) or any parameters withe the Server.downloadFile() API to allow a user to download from this location without compromising the website?

• Third question, and now I think about it I probably should have started with this one, maybe using an external specialised storage service would simplify my life and resolve all those silly questions... ? (and remove the loads from the main server)

ustk

Alright guys, so finally Bunny CDN has an API for the storage part with secure/unique download link generation, so I go with it. (might not be the best but it's not the question for now, and since I will probably never have big sample based instruments but more DSP stuff, the size does not matter

d.healey

@ustk said in Facing product download dilemma/issues:

created a download folder in the website's root called, yep, downloads and place my products in that folder

Are your products really small? Otherwise that's a lot of bandwidth for your website server to handle. Usually you'd want to offload that to a CDN, I use S3 because there is a convenient WooCommerce plugin, but there are cheaper options. ... and I just saw your third question :)

So what I do is I use WooCommerce, that handles the download permissions and generates secure links to S3. I made a custom WP plugin for my site that handles the connection between Rhapsody and WooCommerce.

So when a user places an order they get download links and a license key, all generated by WooCommerce, the S3 plugin, and the license manager plugin.

Then in Rhapsody I get them to log into my WP site using the JWT auth plugin. From Rhapsody I then query the end points of my custom plugin to see if they have a valid license when they click the download button. If they do I send a request to WooCommerce to generate a fresh S3 link.

aaronventure

@ustk Consider hosting your files elsewhere. S3 or Backblaze (a lot cheaper than S3). Then use the API to generate links on request.

You don't need a full blown server, you just need a cloud function (AWS Lambda, Azure Cloud Functions, Google Functions) that will have its own API endpoint (automatically generated once you set it up). You call it, the function does the work (check in database for user credentials, fetch download link from backblaze, then returns the link). That way you only pay as much as you use, with a generous free traffic (I think AWS Lambda has 2mil. free calls a month).

gorangrooves

@ustk I have not tried your approach, so I can't advise on such a procedure. However, I can recommend the Digital Ocean's CDN. It is extremely easy to use, affordable and there is a plugin that integrates with WooCommerce.

What @d-healey explained here sounds very good to me if you are utilizing a download manager. As an extra precaution, you can set the maximum number of downloads per product in WooCommerce to, say, 5. Then, if someone needs more, you can manually regenerate download links for them. That would prevent someone from downloading hundreds of times.

d.healey

@gorangrooves said in Facing product download dilemma/issues:

there is a plugin that integrates with WooCommerce.

Tell me more

ustk

@d-healey @aaronventure @gorangrooves Thanks guys! That's indeed what I needed to hear...
As for the licensing part, it is all done and working using a php plugin I've made.
So really the only thing I need is generating a the fresh link for identified users.

I will check the different storage solutions/CDNs you gave me in the next days to see which one fits my workflow the best. I tried Bunny CDN last week (just for the automated site acceleration part, not third party storage) and it was catastrophic for my website. I am not saying Bunny was the cause of the poor loading response by itself, but maybe more CDNs in general. Through this little journey I learned that almost no websites need a CDN and people often think it will help while in reality it doesn't (I've read this from different sources)
So since I only need a storage, a CDN might not be relevant to me (except if they offer separate pricing tiers so I don't use the habitual acceleration)

gorangrooves

@d-healey The plugin is:

Upload Your WordPress Media to Amazon S3 with WP Offload Media - Delicious Brains Inc

Speed up your WordPress site by offloading your media to Amazon S3, DigitalOcean Spaces or Google Cloud Storage. Watch a full demo and see how it works.

Delicious Brains (deliciousbrains.com)

It automatically transfers all of your uploaded content from the website over to the CDN and updates the website links to pull assets from the CDN. You can offload any assets from the CDN to be served from your website.

For software distribution, I upload files directly to the Digital Ocean CDN. Unlike Amazon's ridiculous barrage of settings, it is as simple as "private or public" for any file. I set them to "public," as no one actually sees the direct links. The WP plugin, in conjunction with WooCommerce, creates unique links on the fly. The links expire as soon as they are used, but new ones are generated as soon as the user clicks on the download button.

When setting WooCommerce products, I use the CDN endpoint links for each product. You are provided 3 links for each uploaded file by the DO CDN: origin, CDN, and subdomain endpoints.

The WP Offload Media can also be used with Amazon.

gorangrooves

@ustk a CDN should be helpful since files are distributed to several "edge" locations around the world and get served to end users from the location closest to them.

The CDN plugin I mentioned here works great. I use it to serve all images, videos, and products from the CDN.

Make sure your website uses HTTP2 protocol, as multiple resources get served at the same time, as opposed to one-by-one, thus speeding up your website.

clevername27

@d-healey Another vote for S3

gorangrooves

@clevername27 Have you tried the Digital Ocean CDN?

clevername27

@gorangrooves I have not, no.

gorangrooves

@clevername27 Then your vote doesn't count. Sorry.

ustk

@gorangrooves yeah I understand the principle of CDNs and this is exactly why I jumped into it when realising the slowness of my website. Then after some tests and readings, I realised that only a few specific websites actually need one, and the fact that it is cached in several places is in the end not a good argument (which is weird to hear at first, I agree) A good optimisation of the website is way better than a CDN with a "natively messy and not optimised wordpress" website.

gorangrooves

@ustk A CDN is not going to compensate for other shortcomings. It should be used in conjunction with and as part of the overall optimization process. I recommend running the tests and checking out the recommendations in browser dev tools.

I've done a fair amount of this over the years. The most critical things that make the biggest impact are the size of images, caching of everything that can be cached, GZIP compression, lazy load of images and videos, and HTTP2 protocol. Of course, a good server is very important.

Years ago, before I delved into all of this, I was working on a website and wondering why it was taking ages to load (50 sec). Then I realized my images were like 1.5MB each Once I brought them down to 120KB each and implemented the other optimizations, the website has been loading instantly ever since.

d.healey

@gorangrooves said in Facing product download dilemma/issues:

Digital Ocean CDN

The price looks to be the same as S3 so I'm not sure I see an advantage to using it, other than not having to deal with AWS stuff (but I already have that set up and use it for mail too).

gorangrooves

@d-healey For you, if you are already on S3 and set up, there would be no advantage.
For somebody new, the advantage of it is that it is a lot simpler and easier to use.

I use both for a couple of websites I run, so I am able to compare them.

ustk

Alright guys, so finally Bunny CDN has an API for the storage part with secure/unique download link generation, so I go with it. (might not be the best but it's not the question for now, and since I will probably never have big sample based instruments but more DSP stuff, the size does not matter

gorangrooves

@ustk yeah, that's what she said.