Protecting exports

Sebastian_Meckovski · March 18, 2025, 1:02pm

Hello,

I’m working on an MVP that allows users to configure their models and purchase the corresponding export file. During testing, I implemented a piece of logic to handle export file generation, based on this snippet

        <Button
          onClick={async () => {
            const session = sessionRef.current;
            const exportObject = session?.getExportByName("Download 3MF")[0];
            const response = await exportObject?.request();
            if (response?.content && response.filename) {
              const downloadUrl: string = (response.content?.[0] as { href: string }).href;
              const link = document.createElement("a");
              link.href = downloadUrl;
              link.download = response.filename;
              link.click();
            }
          }}
        >
          Download Export
        </Button>

This logic is meant for testing, but in the final version, it will be moved to an external API service. The service will be triggered after the customer completes the checkout process. We’ll store the export file, generate a unique download link, and provide it to the customer.

During testing, I noticed that this code triggers this PUT /api/v2/session/{sessionId}/export call as seen in the network tab.

My concern is that as long as someone has access to the session ID (which is also visible in the network tab), they could potentially spoof the origin, make the PUT request themselves, and retrieve the export file URL.

Is there a way to secure this endpoint? Ideally, I’d like to add authorization to prevent unauthorized export generation. Any advice on how to achieve this would be greatly appreciated.

snabela · March 18, 2025, 1:23pm

Yes, you can secure this endpoint to require a short lived JWT. Please see this help page on JWT authorization for sessions.

Related platform help page: Embedding settings

Once you enabled this setting, your backend application will need to make a call to the platform API to retrieve a JWT for the model, which you then pass on to your frontend for opening the session. Your backend application would be authorized by access keys: https://help.shapediver.com/doc/platform-api-access-keys

Sebastian_Meckovski · March 18, 2025, 8:53pm

So it’s this call right? POST oauth/token

Any idea how to limit the returned token’s scope to only allow create session for example? I couldn’t find any examples

snabela · March 19, 2025, 5:17am

Your deleted post was useful
It’s this call: api/v1/tokens
You can limit the scope to group.view for usage in the browser. This scope does not allow exports. In the backend you would use group.view and group.exports.

Topic		Replies	Views
API file exports ShapeDiver	8	487	December 5, 2019
Geometry Backend - Export Error - Generic jwt validation error ShapeDiver windows	6	481	March 22, 2022
401 on creating session in ViewerAPI localhost ShapeDiver mac	2	212	November 24, 2023
{"message":"Session timed out? Please reload viewer."} ShapeDiver	3	435	February 14, 2019
Shapediver Api: Export for Models with two download links ShapeDiver mac	5	409	December 21, 2022

Protecting exports

Related topics