Meteor-files: [auth via get query] First download attempt after page reload fails due to missing x_mtok

I've made several experiments, and found the root of the issue in src code

https://github.com/VeliovGroup/Meteor-Files/blob/1d1be8af2b4d820f0ed9abbb53d3806c2a33572a/client.coffee#L92-L98

Is there a reason of having 25 ms timeout for setting cookie?

Hello @vbelolapotkov

Is there a reason of having 25 ms timeout for setting cookie?

There is definitely was a reason to do so, but I can not tell you what was it exactly :)

The problem here what files are served via HTTP, but Meteor is build all around its own Methods. This issue was widely discussed here.

Good news - you can build your own authentication logic on top of protected hook. As an example please take a look on this PR - https://github.com/thomasspiesser/ostrio-files-bug/pull/1/files#diff-ce079999c484c3f4db9b0cf78320926eR9

WDYT?

@dr-dimitru thanks for pointing to own auth on top of protected. My thoughts on that topic:

1) I can accept passing the "token" as a query param for Cordova as it looks there are no other options. But in case of a browser it looks strange to me implementing almost the same thing as package does (sending xmtok to check auth).

2) Still not clear to me why cookie is set asynchronously (would be great to have an explanatory comment in the src code). Anyway as a workaround I've added my own Accounts.onLogin() handler where I set x_mtok with ostrio:cookies but synchronously. It works for me at least in Chrome. Will let you know if there are any problems with that approach on other browsers.

3) I agree with @menelike that using session token is not the best option especially in the case of clustered solutions with load balancing or if there is a dedicated cluster of nodes for managing files. Login token looks like a better option as it is stored in DB.

@vbelolapotkov

1. I mean you have a freedom of implementing your own logic if something default isn't working for you. Flexibility.

2. I'll run the tests without the timeout, and try to find in a history, why we have done so, but there is certainly was a reason.

3. The session is the safest option in terms of security concerns, as it changing constantly, and can be used only to validate a user, not authenticate. While login token may remain the same for a long time, and can be used to login without login/pass pair.

@dr-dimitru

1. Agree and thanks for creating that amazing and flexible package.
2. Thanks again.
3. I've spent some time thinking about possible alternatives and haven't found other existing secure enough alternative to solve clustering problem. So imo there is a place for additional package which can implement custom short-time tokens.

With all that said, I think the issue can be closed. Thanks for your time.

Agree and thanks for creating that amazing and flexible package.

Thank you for choosing it :)

So imo there is a place for additional package which can implement custom short-time tokens.

Feel free to share it with us.

With all that said, I think the issue can be closed.

I'll keep it open to check if 25ms delay can be altered.

Hello @vbelolapotkov ,

This should be solved in v1.9.0.
Let me know if it work for your case.

Hi @dr-dimitru, thanks for the update.
I've tested updated package and everything works smoothly.

I'll reopen the issue if encounter any problems.

@vbelolapotkov awesome.
Thank you for this contribution.

Please, support this project by:

• Star on GitHub
• Star on Atmosphere
• Check other packages we have made