1. Media binary data
    • 1.1.1 Use nginx auth_request
    • 1.2.2 Use S3
    • 1.2.3 Use Axinom DRM
    1. Database info
    1. Authentication
    • 3.1.1 Use JSON Web Token (JWT)
    • 3.1.2 Oauth 2
    • 3.1.3 Lightweight Directory Access Protocol (LDAP)

    1. Media binary data

    There is no encryption in our server due to many reasons. However we provided some solutions to protect/authorize our data.

    1.1.1 Use nginx auth_request

    The ngx_http_auth_request_module module (1.5.4+) implements client authorization based on the result of a subrequest. If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the subrequest is considered an error.

    For the 401 error, the client also receives the “WWW-Authenticate” header from the subrequest response.

    This module is not built by default, it should be enabled with the --with-http_auth_request_module configuration parameter.

    Sample config below

    location /private/ {
        auth_request /auth;
        ...
    }
    
    location = /auth {
        proxy_pass ...
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }
    

    Untitled

    1.2.2 Use S3

    • User call get media info
    • Backend check permissions to the file and response S3 signed URL with expiry time
    • User play the media with that link
    • More info

    1.2.3 Use Axinom DRM

    Everything we can read here

    2. Database info

    • Encrypt password (1-way) using stronger hashing algorithms such SHA-256, bcrypt
    • Encrypt other private user with public key if project requires
    • We never try to decrypt private data

    3. Authentication

    3.1.1 Use JSON Web Token (JWT)

    Untitled

    3.1.2 Oauth 2

    OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials

    Untitled

    3.1.3 Lightweight Directory Access Protocol (LDAP)

    The Lightweight Directory Access Protocol (LDAP) is a vendor-neutral software protocol used to lookup information or devices within a network. Whether you want to build a central authentication server for your organization or want to simplify access to internal servers and printers, LDAP is the answer.

    Untitled