I think the best way to do this is to have the files which are to be downloaded outside of the public folder and then use an action in a controller which authenticates the download and then uses send_file to send the file to the user. This way, the files are hidden from the public until the controller sends it to them.
send_file documentation:
