In standalone mode, Cantaloupe has built-in support for HTTP Basic authentication. To enable it, set the following keys in the configuration file:
When enabled, the entire website and all endpoints will be restricted.
A custom delegate script method can be used to implement authorization logic ranging from simple to complex. The image server will execute this method upon every image request and, depending on its return value, either authorize the request (by returning HTTP 200 OK), or not (by returning HTTP 403 Forbidden).
The delegate method in question is called authorized?. A skeleton with documented parameters and return values is present in the delegates.rb.sample file. By default, it just returns true, authorizing all requests.
The authorization method will be called on every image request and should therefore be written to be efficient.
The authorization method will be called upon requests to all image endpoints, but not information endpoints.
Implementations should not assume that the underlying source image actually exists, but they should not try to check for it regardless—the image server will handle that. (But, the check may occur after the delegate method is invoked.)
Note: The parameters passed to authorized? are not guaranteed to be safe. identifier, for example, will be exactly as supplied in the URL. Always prefer prepared statements over string concatenation in order to reduce susceptibility to SQL injection attacks.
Allow only JPEG output
Allow only certain user agents
This is not foolproof—if a client knows what User-Agent you are checking for, they can spoof it.
Allow only requests from clients that have an authorization cookie
If you have an authorization service that sets a cookie, you can check for it. Cookies can't be shared across domains, but this could still work if you can set the cookie on a parent domain.
Restrict a region of an image
In this example, requests for images containing any part of the bottom right quadrant of the source image will be denied.