Hi everyone!
I'm working on a Node.js project and realized that sensitive documents (PDFs, images) are currently stored in the /public folder, making them accessible via direct URL. I need to fix this for privacy reasons.
I want to move the files to a private folder outside the web root and use a Server Action (with Security Restrict and the File Download step) to stream them only to authorized users.
Proposed API Workflow:
-
Security Restrict: First, I'll add a Security Restrict step to ensure only logged-in users with the correct permissions can access the file [cite: 2025-12-24, 2026-01-06].
-
Database Query: I'll fetch the specific filename and MIME type from the database using a
file_idparameter [cite: 2026-01-06]. -
File Download Step: I plan to use the "File Download" component, pointing to my private folder (outside
/public). -
Inline Disposition: I’ll set the download to "Inline" so that the browser's native viewer can render the PDF or image directly within the modal instead of forcing a download [cite: 2025-12-24].
Does this sound like the right architecture for a secure B2B environment, or are there hidden "gotchas" with Node.js streaming I should be aware of?
My questions for the experts:
-
What is the best way to handle the frontend preview (Modal with Image or PDF) when the source is a Server Action?
-
How do you deal with the iFrame/PDF preview behind an API to avoid SPA routing issues or binary data being rendered as text?
-
Are there any performance concerns when streaming every preview through a Server Action instead of using direct static links?
Would love to hear how you guys solve this!
