Secure Files in Xano using Base64 Encoding

Hello there! In this guide, we'll explore how to securely store and access files using Xano's no-code platform. We'll cover uploading files to your Xano database, accessing those files, deleting them on a regular cadence, and help you determine if this is the right solution for your needs. Let's dive in!

Storing Files Securely in Your Xano Database

To store files securely, Xano uses a unique approach. Instead of using a traditional file uploader, Xano stores the file contents as Base64-encoded data in a text field within a database table. This method provides more control over file expiration, download limits, and access permissions.

Here's how it works:

1. Set up a Database Table: Create a table in your Xano database to store file information. In the example, the table is named "files" and includes the following fields:

• `encoded_file` (Text): Stores the Base64-encoded file contents
• `user_id` (Reference): References the user who uploaded the file
• `allowed_access` (Array of References): Stores the IDs of users allowed to access the file
• `file_name` (Text): Stores the file name
• `expiration_date` (Date): Stores the date when the file should expire
• `allow_multiple_downloads` (Boolean): Indicates whether multiple downloads are allowed

1. Create an API Endpoint: Next, create an API endpoint to upload files. In the example, the endpoint is called "Upload a Secure File" and accepts the following inputs:

• `file` (File): The file to be uploaded
• `expiration_date` (Date): When the file should expire
• `allowed_access` (Array of References): Users allowed to access the file
• `allow_multiple_downloads` (Boolean): Whether multiple downloads are allowed

1. Encode and Store the File: In the function stack of the API endpoint, do the following:

• Get the raw file data from the `file` input
• Create a variable with an array of user IDs from the `allowed_access` input
• Base64-encode the raw file data and store it in a variable
• Add a new record to the "files" table with the encoded file data and other inputs

And that's it! The file is now securely stored in your Xano database.

Accessing Stored Files

To access a stored file, you'll need another API endpoint. In the example, the endpoint is called "Get a Secure File" and requires authentication to ensure only authorized users can access the file.

Here's how it works:

1. Set Up the API Endpoint: Create an API endpoint called "Get a Secure File" with a single input: `file_id` (ID of the file to be downloaded).
2. Retrieve the File Record: In the function stack, retrieve the file record from the "files" table using the `file_id` input.
3. Check User Authorization: Store the ID of the authenticated user in a variable. Use a precondition to check if the authenticated user's ID is present in the `allowed_access` array of the file record. If not, return an error message.
4. Decode the File: If the user is authorized, Base64-decode the `encoded_file` value using the `Base64_decode` filter.
5. Set Response Headers: To send the file data as the response, set the appropriate headers:

• `content-type`: Set to `application/octet-stream` to indicate a raw file response
• `content-disposition`: Set to `inline` with the `file_name` value

1. Handle Multiple Downloads: Check the `allow_multiple_downloads` value. If false, delete the file record from the table after sending the response.
2. Return the File: The response will be the Base64-decoded file data, which will be treated as a file download by the client due to the set headers.

With this endpoint, authorized users can download the stored file securely.

Deleting Files on a Regular Cadence

To keep your database clean and free up space, you'll want to delete expired files regularly. Xano provides two options for this:

1. Background Task: Create a background task that runs a custom function to delete expired files at a specified cadence (e.g., daily, weekly). The custom function should query the "files" table for records where the `expiration_date` is in the past and delete those records.
2. API Endpoint: Alternatively, you can create an API endpoint that performs the same task as the custom function above, allowing you to manually delete expired files on-demand.

By implementing either of these options, you can ensure that expired files are automatically removed from your database, keeping it lean and efficient.

Determining if This Solution is Right for You

While the Base64-encoded file storage approach in Xano offers excellent security and control, it may not be suitable for all use cases. Here are some considerations:

• Scalability: As the number of files in your database grows, the Base64-encoded data can become larger, potentially impacting performance when querying the database.
• File Size Limitations: Large files, such as high-resolution videos or PDFs, may not be practical to store using this method due to the increased database size and potential performance issues.
• Use Case: This solution is best suited for applications that don't require massive file storage requirements or have a limited number of files that expire quickly.

If you anticipate storing a large number of files or dealing with large file sizes, you may want to consider integrating with a third-party file storage service instead of storing files directly in your Xano database.

Conclusion

Xano's no-code platform provides a secure and flexible way to store and access files, giving you control over expiration dates, download limits, and access permissions. By following the steps outlined in this guide, you can implement this solution in your own applications.

If you have any questions or need further assistance, feel free to reach out to the Xano community or support team. Happy coding (or no-coding, in this case)!