Parse-server: Best way to add authentication to file retrieval?

I'm creating an app that requires HIPAA compliance. My issue is that while the Parse Objects containing references to the images are secured by their ACLs, the images can be accessed by anyone if the filename is known/guessed(very unlikely but possible).

I understand that for most applications this is secure enough, but for HIPAA compliance, I think those images need to be only accessible by authenticated users with the permissions required to access the referencing object.

Now I don't have much knowledge of the code base, but I'm planning on creating a PR for this. Here's what I've come up with:

1. Add a new boolean config option called authenticatedFileRetrieval or something
2. In FilesRouter.js change router.get('/files/:appId/:filename', this.getHandler); to router.get('/files/:appId/:filename/:referencingClass?/:sessionToken?', this.getHandler); or use query parameters for the optional params. I'm not sure which would be more appropriate.
3. in getHandler() if authenticatedFileRetrieval == true query the referencingClass using the sessionToken
4. If the query returns the ACL secured object, continue as normal. If not, throw an error.

Maybe there's a better way to accomplish this? Or maybe someone can convince me that this isn't needed? Any input would be appreciated!