To enable HTTP Basic authentication on image and information endpoints, set the following configuration keys:
A custom delegate method, authorized?(), can be used to implement authorization logic ranging from simple to complex. It will be invoked upon every image request. A skeleton with documented parameters and return values is present in the delegates.rb.sample file. By default, it just returns true, authorizing all requests.
Another method, redirect(), can be used to conditionally redirect to a different URL.
The authorization method will be called on every image request and should therefore be written to be efficient.
The authorization method will be called upon requests to all image endpoints, but not information endpoints.
Implementations should assume that the underlying source image exists, even though it may not. The image server will check for existence, but the check may occur after the delegate method is invoked.
Allow only requests for half-scale images or smaller
Allow only requests for identifiers matching a certain pattern
Allow only requests for images set as "public" in a MySQL database
The arguments in the context hash are not sanitized. context['identifier'], for example, will be exactly as the application receives it. Prefer prepared statements over string concatenation in order to reduce vulnerability to injection attacks.
Allow only JPEG output
Allow only certain user agents
This is not foolproof—if a client knows what User-Agent you are checking for, they can spoof it.
Allow only requests that supply a valid token in a header
Restrict a region of an image
In this example, requests for images containing any part of the bottom right quadrant of the source image will be denied.