How to share documents using a secret link?

Hi, MongoDB community! :wave: I would like to implement a feature in my Realm app that allows users to share a document using a public link containing a secret string (similar to apps like Dropbox). The user that receives the link shouldn’t need to register, so they are authenticating anonymously.

How can I set up query roles for this use case? The examples in the documentation always use the %%user variable do detemine if a user is allowed to access a document. Essentially, I would like to set the role based on some additional value provided by the user (the secret string), not based on the user’s identity or some value stored in the user document. An “Apply When” expression for this role could look like this:

{
  "share_secret": "<value provided in the request>"
}

Is there a way to pass additional values like this? Can I add restrictions on what the user can query so that share_secret must always be included? For example, I would like to prevent users from querying any document because they could get a document that they are not authorized to read:

collection.findOne({});

But I want to allow them to do this:

collection.findOne({ share_secret: "abcdefg" });

Let me make a stab at trying to answer this fairly obscure request. First, at this point in time with MongoDB Realm, you would probably have to use Sync Permissions to control access to the “secret” document. In laymen’s terms, this means make your share_secret the partition key value of the document in question.

Your sync rules would need something like this

{
  "%%user.custom_data.secretPartitions": "%%partition"
}

You would then define a Custom User Data with a secretPartitions array.

When a user got the secret on a client device, it would have to call a function on the MongoDB Realm Application server that would add the secret to the secretParitions array in the Custom User Data.

The only question I have is that I don’t know how this would work for anonymous users, but in theory it should.

For more insight, please consult the article I wrote last month concerning Realm Sync Permissions.

MongoDB Realm Sync Permissions Explained

I hope this was useful, and good luck.

Richard Krueger

Hi Richard, thank you very much! I think that a variation of your idea could work in this case. Instead of storing the secret in the user data, the function would store the user ID in the shared document because the user data is not always up to date (according to the docs, the data is refreshed at least every 30 minutes). That way users can always access the document directly after visiting the invitation link.

The only small downside I can think of is that many (expired) anonymous user IDs can accumulate in the shared document over time.

I am glad that I was of some use. By the way, the client can force a refresh of the customer user data with a call to user.refreshCustomData() - to get over the 30 minute limit.

Yes, all of these anonymous users will be like plastic bottles accumulating in the Pacific. You could always run a timer trigger to clean them up on the background.

Richard

Thanks! I didn’t know about refreshCustomData. :+1:

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.