Implementation of protected files serving

Author: LuckyCyborg

app/Config/Routing.php

@@ -40,4 +40,15 @@
             'twbs/bootstrap' => 'dist',
         ),
     ),
+
+    /*
+     * The Protected Files Serving configuration.
+     */
+    'files' => array(
+        // The path to the protected files.
+        'path' => BASEPATH .'files',
+
+        // The access token validity - in minutes.
+        'validity' => 180,
+    ),
 );

app/Platform/Bootstrap.php

@@ -14,7 +14,7 @@
 // Define The Application Version
 //--------------------------------------------------------------------------
 
-define('VERSION', '4.2.0');
+define('VERSION', '4.2.1');
 
 //--------------------------------------------------------------------------
 // Set PHP Error Reporting Options

app/Routes/Assets.php

@@ -2,6 +2,8 @@
 
 use Nova\Http\Request;
 
+use Carbon\Carbon;
+
 
 // Register the route for assets from main assets folder.
 $dispatcher->route('assets/(:all)', function (Request $request, $path) use ($dispatcher)
@@ -26,3 +28,23 @@
 {
     return $dispatcher->serveVendorFile($path, $request);
 });
+
+// Register the route for files from protected folder.
+$dispatcher->route('files/(:any)/(:any)/(:all)', function (Request $request, $hash, $timestamp, $path) use ($dispatcher)
+{
+    $basePath = Config::get('routing.files.path', BASEPATH .'files');
+
+    $validity = Carbon::now()->subMinutes(
+        Config::get('routing.files.validity', 180) // In minutes.
+    );
+
+    $localHash = hash_hmac('sha256', $path .'|' .$timestamp .'|' .$request->ip(), Config::get('app.key'));
+
+    if (! File::isDirectory($basePath) || ! hash_equals($hash, $localHash) || ($validity->timestamp > hexdec($timestamp))) {
+        return Response::make('Forbidden', 403);
+    }
+
+    $path = $basePath .DS .str_replace('/', DS, $path);
+
+    return $dispatcher->serve($path, $request);
+});