We have to restrict access to some content to specific users and found this helpful tutorial:
If we understand correctly the URL with the token could be passed to a third party and would still be valid.
That’s why we wonder if it’s possible to add some more security by utilizing something like user or session id stored in a cookie and sent to the server for token creation and validation. Additionally, we would like to bind the token to a specific URL but without configuring all URLs explicitly in the custom VCL script. But if we could add something like the user id to the token, we probably can also add the URL and have a token validated for a specific user for a specific URL, right?
Some pseudo code: create_token(expiration, user_id, url, secret), validate(token, user_id, url, secret)
Any help is greatly appreciated! We are quite new to this, so our idea might not be the best solution to our problem, which is restricting access directly on Fastly’s servers without an authentication/authorization backend.