You’re not wrong. Active Storage’s built-in controllers are either unauthenticated or protected only by weak signature-based authentication:
ActiveStorage::BlobsController: Signature-based authentication, permanent signaturesActiveStorage::RepresentationsController: Signature-based authentication, permanent signaturesActiveStorage::DirectUploadsController: Unauthenticated (
)ActiveStorage::DiskController: Signature-based authentication, short-lived signatures
In a production app, you’ll likely need to authenticate, validate, rate-limit, and otherwise protect storage access more stringently. That means you’ll need to bring your own controllers.
We have warnings to this effect non-exhaustively peppered throughout the API documentation:
If you need to enforce access protection beyond the security-through-obscurity factor of the signed blob references, you’ll need to implement your own authenticated redirection controller.
We can more consistently/clearly/loudly document this—and PRs are welcome for that—but I don’t feel great about the current state of things regardless. We’re trading production safety for Fisher-Price simplicity. I don’t have a solution in mind at the moment.