image accessibility for authenticated users only

You have to store your image outside of the public folder. Storage/app is made for this.

Then you have to create a route and a controller action to display the image from the file in storage. Of course you protect the route with auth middleware.

Route::get('images/{slug}.jpg', [
    'as' => 'images.show',
    'uses' => 'ImagesController@show',
    'middleware' => 'auth',
]);

class ImagesController extends Controller
{
    public function show($slug)
    {
        // get the image named $slug from storage and display it

        // Something like (not sure)
        $image = File::get('images/' . $slug . '.jpg');

        return response()->make($image, 200, ['content-type' => 'image/jpg']);
    }
}

In my application I use

 public function __construct()
    {
        // Verify that the user is currently logged in
        $this->middleware('auth');
    }

at the top of my controller

@pmall thx i will try and let you know @Joshaldridge that is nice of you but I am not looking for authentication, i was looking for authenticating the image

@maytham remember that using this makes the whole laravel application boot up when serving an image. It is way less efficient than serving images directly.

@pmall, I have created the controller and update route; it looks working but the image returning following message:

The image "http://laravel5.localhost:8080/images/test.jpg" cannot be displayed because it contains errors.

And the second question how about .png and .gif files?

@pmall it is fixed now

the route is fine but the contoller i did following

$image = storage_path('app/images/' . $slug . '.jpg');
return \Image::make($image )->response();

How secure do the images need to be? If you want to make it impossible to access them without being authenticated, then you can do what @pmall suggested. If you just want to make sure people can't discover them, but don't care if they are publicly accessible (meaning, a non authenticated person can access the image if they know the URL), then you can rename the file using something like a SHA1 hash or similar, and store the new name in the DB. You can use some combination of the original file name + user id + microtime or something like that as a seed for the SHA1 function, so there is no chance of a collision. Then you will end up with filenames like this:

58236af985c0c7c2d99af0c52a8a786fb979d504ccfa483b0fc844dbac64911a.jpg

Pretty much impossible for anyone to guess at that point.

@i960 a simple wget would download every files with your method

@pmall Does wget accept wildcards and will web servers respond to that? In other words, would this work?

wget http://www.example.com/images/*.jpg

If yes, then what you said is true. Which is why I asked if he really needed them secure or not. What I suggested is obfuscation and is only intended to stop people from randomly guessing via the browser. I suppose you could also have random folders as well.

I just tried. I used this:

wget http://www.mydomain.com/images/myrandomimage.jpg

And it gets the file. If I do this:

wget http://www.mydomain.com/images/*.jpg

I get a 403 forbidden. If I try it this way:

wget -r --no-parent -A '*.jpg' http://www.mydomain.com/images/

I also get a 403. Am I missing something?

@i960 ok I guess it depends on server config. But protecting access to something by giving it a random name is a bad solution anyway.

That's why I said it's not intended to be secure. Obfuscation is not security and I'm well aware of that. But unless he does something like basic or digest auth at the server level for the public images folder, there is no way that I know of to secure the files without booting the framework. It's just an alternative if performance is more important than security.

@i960 the file name was already hashed, but good point. and thank you for contributing, the images is not top secret but want just to make it difficult to stranger to play with it. @pmall thx dude, every thing is working now like charm,

Now all photos requires authentication to be seen and file name is hashed.

in my case i got this "could not load the image" how to fix?

@pmall As far as I understand, this in fact keeps it only accessible for an authenticated user, BUT this doesn't restrict access to a specific authenticated user. In this case any authenticated user could access any other authenticated users' image files. Am I right? How would you restrict access only to the authenticated user the images actually belong to? Thanks.

@TinoN Short answer, policies. Read this https://laravel.com/docs/5.4/authorization. Hope it helps.

@uusi Thanks, that helped!

@pmall It works as a charm, but when I get the link from the attribute and open the link on a new tab it downloads the image instead of displaying it. Is there a work around for that?