Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi guys!
In my application I'm using a filesystem to store files (you don't say). Currently I'm moving from the local driver to the s3 driver (using Digital Ocean Spaces) to speed things up.
Uploading works fine! Now I'm trying to figure out how the download process should be done.
Currently I have a DownloadDocumentFile controller, which does some authorisation and calls the download method of Laravel's Storage facade. I wonder if this is the way to go, because as far my knowledge goes, I think this is very inefficient since all downloaded data goes through my controller.
Another approach I've found is the temporaryUrl method, which needs an expiration stamp with it. This method will return a (pretty long) url with signatures and stuff. In this case I'd expand the timestamp with years, and save the signed url in my database.
So in closing, what is the preferred way to handle file downloads from your application using a service like S3?
Thank you for your thoughts!
Bob
I wonder if this is the way to go, because as far my knowledge goes, I think this is very inefficient since all downloaded data goes through my controller.
Not exactly, it creates a "download response" for the file at the given path (URL). So the actual download happens from S3.
but it is fair to say that you have to bootstrap the entire framework to return this download response, which is way slower than the browser fetching the url directly
Do you need security on these files, eg restrictions, or could the files be public?
Thank you for your responses @corvs and @snapey.
I think @corvs makes sense that the actual download happens from S3. I forgot about that. So my mistake I thought the data would go through my Laravel app.
But then @snapey comes in. The data wouldn't go through Laravel, but it would bootstrap the framework just to return stuff.
Thing is, the files I return should not be public. A possible solution would be that my API would return the temporary url's, which my frontend can use to download those files. Since I do have authorisation on my API endpoints, I am sure the temporary url's won't be shared with bad people.
But is it recommended to create temporary urls which are valid for forever, and store them in the database?
I have URLs to assets on S3 which although are public, they use impossibly long filenames so that someone cannot just walk through the files.
In this scenario, anyone with the url can access the resource (which works for my use cases), but it also means that the Laravel app is not touched when the client needs to retrieve the file.
The temporary url scenario is for instances where you want to give someone time limited access to the resource so that they are restricted from passing the url to someone else, or accessing the resource through log data or network captures. In this scenario, your temporary URL might expire in 10 seconds or just long enough for the client to retrieve the asset.
Making a non-expiring temporary URL is just the same as my first example since you have made it non-temporary and it therefore may as well be just a long random number.
Please or to participate in this conversation.