investigating Proxima API file Downloading Problem

Hey Guys,
Im trying to use Proxima to "GET" audio info from a sister site. The get request is complete with the download URL but when I go to download it, it says "Error: offsite media downloads are blocked". I dont have the "block file downloads" checked in the Audio module but do have have a price greater than 0 so it looks like it cant be downloaded.

I did notice the profile owner can download their own files , can this be allowed via PROXIMA when the logged in (in Proxima) owner is the profile owner to be able to retrieve files via the API?
I would customize but this looks to happen in the CORE module (index.php line 6499)
Any thoughts?
Regards!

UPDATE: FIXED the error offsite by adding All domains allowed but now get the Item must be purchased to be downloaded. I see there is a jrUser can edit item check. Can we get this to work with users that sign in with Proxima?? (Possibly editing the jrUser_can_edit_item function to add the Proxima User?)
updated by @kevinm: 12/11/18 04:31:12PM

Jamroom tries real hard to protect media that is for sale. If I am understanding correctly, you have media on another site that you are making available via Proxima - and you want media that is even for sale to be "downloadable" from that site if the user is logged in?


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Yes, But ONLY to the User that owns that profile. They are signing in via Proxima to access there own account info and media. The owner can GET the info but cant download due to the jrUser_can_edit_item check even though they are the owner.

OK - let me check out how to get that info into the Core check the proper way.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Are you constructing your own download URL or are you using a Proxima Bridge request to get the Audio info? You should be able to download using Proxima File (which bypasses the checks).


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

I am using Proxima Bridge, i am using the download URL that I get when requesting through any GET request. I can see the URL but gives me the error, even though I am signing on as the owner.

I think what I need to do here is:

- detect if Proxima File is installed and update the URL to use Proxima File
- add safeguards that the core provides except if the request is from the file owner

Right now it's not really possible to "inject" anything from Proxima into the core, so its better we just use the Proxima File download/stream handler since it's already aware of the user account making the request. This is due to the fact that a Proxima session is not the same as a JR session (they are much, much lighter weight so the backend can handle a ton more).


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

I see!! That makes sense! I was wondering that fact also that a Proxima user session isnt the same as a JR session and that the view_download_file check that its doing would even work with Proxima credentials. Thank you for looking into this! Its been a bug of mine for 3 days!

No problem

I've just pushed up version 1.2.0b1 of the Proxima Bridge module to the Marketplace BETA channel that should work for this now. Update to that new version (you may need to enable the BETA channel in your Marketplace -> Tools Release Channels section).

I ended up creating a custom download view in the Bridge module specifically for bridged items - this way it follows the JR convention for profile privacy and whether or not the item is for sale. If the request is coming in from the profile owner it is always allowed.

Update and you'll see the Bridge GET request will have a new download URL in it - use that and let me know how that works.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Perfect and will do!! Ill do that tonight and test and let you know!

Thank you!

Hey Brian,
Did a quick try on the beta and wanted to let you know before it got out to others was there is an error in the URL. When using GET the audio_file_download is http://www.example.com/px_bridge/bridge/download/uploaded-audio/
When i took out /bridge/ and left px_bridge/ it WORKED!!!! So just update your code and ill re-download the bridge module and ill work at it.

Ill toy with it more and get back to you about anything I find.
Thanks!
updated by @kevinm: 07/11/18 02:18:18PM

Yep - that's a mistake - I've fixed that so go to Marketplace -> Tools -> Reload Modules or Skins and reload the Bridge module and you should be good.

Let me know if that helps.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

I think its looking good!
Thanks!!

Hey Brian, I am getting a problem when downloading when an item has a price. Even though I am logging on as the profile owner I am still getting a 401 error. Ive tried this both in the script and in postman and Its consistent with the error. I also tried it on an item without a price and I was able to download it.

It looks like the error is being called at ProximaBridge/Index.php line 77 - 111. My guess is the jrProximaCore_get_session_profile_id isn't registering the profile id and I couldn't find the $GLOBALS['APP_SESSION_PROFILE_ID'] (the jrProximaCore_get_session_profile_id function) in any of the set variables.

Any thoughts?
updated by @kevinm: 07/25/18 02:06:04PM

The price check is completely bypassed for the item owner:


APP_SESSION_PROFILE_ID is set in Proxima Core in the jrProximaCore_create_user_session() function.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Yes, thats what I see in the code but thats the problem is that its not getting bypassed when trying to download the file by the owner, and I dont see any session being stored in the GLOBALS variable above.
When I am logged in as owner, it is still going thru the checks hence thats why I cant download anything thats for sale.

Like in the other post, this makes me think there is a session issue - the item owner should never get caught up in that check since their profile_id is the same as the items profile_id.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

After rechecking I am still unable to get a file downloaded if the user is the owner. I have tried with both the master and client keys. The user is able to login and obtain a session key and generate a GET response to get the download url with other item information. If this were a login issue I wouldn't see those (200) responses.

After doing more sleuthing to this problem I have found that there might be a session problem the jrPromixaCore_get_session_profile_id(). Debugging I found that the 401 code was fired in the ProximaCore/index.php line 119. $blk is coming back as true.
I am getting the code 200-session started with the correct id (owners id) when logging in.
Use the GET to find the downloadable URL. Go to the URL and get the 401 code.
At line 80 the profile owner check happens but I dont think the jrProximaCore_get_session_profile_id is checking that I am the owner of the item Im trying to download as it goes through the cases below to line 114.
Can you take a look at this and find whats going on with the session user id?
Regards,
Kevin

Sorry for the really late followup here Kevin - let me see if I can spot where you're having an issue and I will let you know.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

And just to double check - you are NOT using the master key in this scenario - it is a file that has been uploaded by the same profile_id that is trying to download it? Was the file created on the JR side or on the Proxima side?

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Hi Brian,
I have actually tried both the Master and Client key and have gotten the same response (401).
The file is uploaded via JR and its ONLY when a PRICE is attached for the owner (same profile_id of the user) of the file. When there is no price it does transfer.
thanks for the followup and if you need anymore help troubleshooting let me know be glad to help.
Regards,
Kevin

Thanks for the update Kevin - so it's all related to the price - that's good to know and I will check it out.

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net