[ZendTo] Single-use download links

Jules Jules at Zend.To
Thu Feb 18 09:14:20 GMT 2021 

John,

Thanks for that, it is very helpful.
See below for comments in-line...

On Wed 17/02/21 19:37, John Thurston via ZendTo wrote:
> On 2/17/2021 3:27 AM, Jules via ZendTo wrote:
>>    Â
>>
>> *CAUTION:* This email originated from outside the State of Alaska 
>> mail system. Do not click links or open attachments unless you 
>> recognize the sender and know the content is safe.
>>
>> Folks,
>>
>> One site has asked me to add functionality to allow them to create 
>> drop-offs in which each file can only be downloaded once.
>>
>> Effectively "one-shot" download links.
>
> Meh. I can't see the use, but I can see it generating support calls. 
> If you add it, *please* make the feature invisible unless explicitly 
> enabled at the application-layer.
There will be a show.... preferences.php setting to enable and disable it.

>
> re: value
> A 'download' count has to be incremented when the download process 
> starts. The application-layer doesn't really know if the download 
> succeeded. So a one-shot token will be burned, even if the payload 
> wasn't delivered.
I was going to set the "it's been downloaded" flag when ZendTo thinks 
the download process is complete. So if the user's download fails to 
start or break part-way through, that doesn't count as being downloaded. 
I'm literally going to put the "set the flag" code immediately before 
ZendTo logs that the file has been downloaded.

>
> Once a customer has a payload, it can be shared with anyone the 
> recipient cares to. What's the point of limiting the number of times 
> it can be pulled from the server?
Agreed, but it stops any 3rd party who manages to get hold of the 
ClaimID and Passcode from easily getting their own copy. Yes, the 
recipient can choose to share it. But if a "bad actor" gains access, 
finding a copy will be a whole lot harder for them.

>
> If the uploader wants to limit the number of downloads, the "file has 
> been downloaded" mail message can be used to prompt manual deletion.
Indeed it can.

>
> re: support
> Every failed download of a one-shot is gonna tirgger a complaint when 
> the URL doesn't work on the retry.
The sender can use the "Resend Drop-off" button via their ZendTo Outbox 
to reset the "has it been downloaded" flags. That's communicated to the 
sender when they create the drop-off.

> Before someone recommends this feature, they should study their Apache 
> log and see how often a single person restarts each download. I've 
> looked in mine, and I won't be enabling this feature.
I entirely agree here. I'm hoping that not setting the "it's been 
downloaded" flag until ZendTo is as confident as it can be that the 
download has completed, will reduce the failure count. But you are 
spot-on that any site using this feature needs to accept that there is 
going to be a certain support cost that goes along with it. I'm trying 
my very best to minimise that support cost, but there is no way to 
reduce it to 0.

The site that initially requested this were fully accepting of this cost.

Cheers,

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'A committee is a group of the unwilling, chosen from the unfit,
  to do the unnecessary.' - Anon

www.Zend.To
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20210218/e3248bcb/attachment.html>

More information about the ZendTo mailing list