I think the best way to do this is to have the files which are to be
downloaded outside of the public folder and then use an action in a
controller which authenticates the download and then uses send_file to
send the file to the user. This way, the files are hidden from the
public until the controller sends it to them.