Is it possible to make a Google Drive file accessible to an API key, but not to anonymous users?
up vote
0
down vote
favorite
We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.
While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.
The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:
https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media
Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.
This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.
The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.
The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.
My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?
The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.
google-drive-sdk asked Nov 10 at 7:16
John
11313
add a comment |
up vote
0
down vote
favorite
We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.
While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.
The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:
https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media
Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.
This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.
The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.
The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.
My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?
The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.
google-drive-sdk asked Nov 10 at 7:16
John
11313
When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37
What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10
I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.
While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.
The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:
https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media
Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.
This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.
The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.
The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.
My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?
The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.
google-drive-sdk asked Nov 10 at 7:16
John
11313
We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.
While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.
The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:
https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media
Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.
This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.
The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.
The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.
My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?
The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.
google-drive-sdk google-drive-sdk asked Nov 10 at 7:16
John
11313
asked Nov 10 at 7:16
John
11313
edited Nov 10 at 17:15
asked Nov 10 at 7:16
John
11313
asked Nov 10 at 7:16
John
11313
asked Nov 10 at 7:16
John
11313
11313
When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37
What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10
I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32
add a comment |
When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37
What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10
I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32
When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37
When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37
What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10
What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10
I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32
I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32
add a comment |
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos
answered Nov 11 at 18:36
alexwennerberg
1015
add a comment |
up vote
1
down vote
The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.
answered Nov 12 at 18:19
pinoyyid
13k73678
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53236830%2fis-it-possible-to-make-a-google-drive-file-accessible-to-an-api-key-but-not-to%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos
answered Nov 11 at 18:36
alexwennerberg
1015
add a comment |
up vote
3
down vote
accepted
As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos
answered Nov 11 at 18:36
alexwennerberg
1015
add a comment |
up vote
3
down vote
accepted
up vote
3
down vote
accepted
As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos
answered Nov 11 at 18:36
alexwennerberg
1015
As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos
answered Nov 11 at 18:36
alexwennerberg
1015
answered Nov 11 at 18:36
alexwennerberg
1015
answered Nov 11 at 18:36
alexwennerberg
1015
answered Nov 11 at 18:36
alexwennerberg
1015
1015
add a comment |
add a comment |
up vote
1
down vote
The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.
answered Nov 12 at 18:19
pinoyyid
13k73678
add a comment |
up vote
1
down vote
The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.
answered Nov 12 at 18:19
pinoyyid
13k73678
add a comment |
up vote
1
down vote
up vote
1
down vote
The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.
answered Nov 12 at 18:19
pinoyyid
13k73678
The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.
answered Nov 12 at 18:19
pinoyyid
13k73678
answered Nov 12 at 18:19
pinoyyid
13k73678
answered Nov 12 at 18:19
pinoyyid
13k73678
answered Nov 12 at 18:19
pinoyyid
13k73678
13k73678
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53236830%2fis-it-possible-to-make-a-google-drive-file-accessible-to-an-api-key-but-not-to%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37
What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10
I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32