Is it possible to make a Google Drive file accessible to an API key, but not to anonymous users?











up vote
0
down vote

favorite












We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.



While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.



The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:



https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media


Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.



This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.



The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.



The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.



My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?



The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.










share|improve this question
























  • When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
    – Tanaike
    Nov 10 at 8:37










  • What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
    – John
    Nov 10 at 17:10










  • I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
    – Tanaike
    Nov 10 at 23:32















up vote
0
down vote

favorite












We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.



While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.



The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:



https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media


Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.



This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.



The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.



The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.



My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?



The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.










share|improve this question
























  • When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
    – Tanaike
    Nov 10 at 8:37










  • What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
    – John
    Nov 10 at 17:10










  • I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
    – Tanaike
    Nov 10 at 23:32













up vote
0
down vote

favorite









up vote
0
down vote

favorite











We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.



While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.



The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:



https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media


Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.



This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.



The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.



The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.



My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?



The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.










share|improve this question















We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.



While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.



The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:



https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media


Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.



This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.



The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.



The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.



My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?



The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.







google-drive-sdk






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 10 at 17:15

























asked Nov 10 at 7:16









John

11313




11313












  • When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
    – Tanaike
    Nov 10 at 8:37










  • What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
    – John
    Nov 10 at 17:10










  • I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
    – Tanaike
    Nov 10 at 23:32


















  • When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
    – Tanaike
    Nov 10 at 8:37










  • What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
    – John
    Nov 10 at 17:10










  • I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
    – Tanaike
    Nov 10 at 23:32
















When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37




When API key is used, the file is required to be shared. So for your situation, for example, how about using service account? The service account is the different from owner's account. You can use the service account as other account. So users can retrieve only the specific file using the service account. For example, one of documents of service account is here. If this was not what you want, I'm sorry.
– Tanaike
Nov 10 at 8:37












What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10




What we need is a way to have access to a raw video file using a URL embedded in our site, but if someone is smart enough to dig through the code and find that URL and paste it into their browser, for it not to let them download the video. Do you know if a service account can help with this?
– John
Nov 10 at 17:10












I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32




I'm sorry. I noticed that when the file is loaded using an URL of the file, the file is required to be shared. So in your case, I think that deploying Web Apps to the specific users might be better. When I noticed more suitable methods, I would like to tell you.
– Tanaike
Nov 10 at 23:32












2 Answers
2






active

oldest

votes

















up vote
3
down vote



accepted










As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos






share|improve this answer




























    up vote
    1
    down vote













    The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.






    share|improve this answer





















      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53236830%2fis-it-possible-to-make-a-google-drive-file-accessible-to-an-api-key-but-not-to%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      3
      down vote



      accepted










      As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos






      share|improve this answer

























        up vote
        3
        down vote



        accepted










        As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos






        share|improve this answer























          up vote
          3
          down vote



          accepted







          up vote
          3
          down vote



          accepted






          As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos






          share|improve this answer












          As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 11 at 18:36









          alexwennerberg

          1015




          1015
























              up vote
              1
              down vote













              The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.






              share|improve this answer

























                up vote
                1
                down vote













                The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.






                share|improve this answer























                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.






                  share|improve this answer












                  The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 12 at 18:19









                  pinoyyid

                  13k73678




                  13k73678






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53236830%2fis-it-possible-to-make-a-google-drive-file-accessible-to-an-api-key-but-not-to%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Florida Star v. B. J. F.

                      Danny Elfman

                      Lugert, Oklahoma