How to download / fetch a file bypassing access controls as the server?

Howdy,

My use case is I have a custom route and want to fetch a raw file from within the server itself.

I use payload to get the

that has my file with no issues:

{
  id: 1,
  resumeFile: {
    id: 2,
    title: 'Test',
    updatedAt: '2024-09-24T12:13:05.928Z',
    createdAt: '2024-09-24T12:13:05.928Z',
    url: '/api/private-files/file/test.pdf',
    thumbnailURL: null,
    filename: 'test.pdf',
    mimeType: 'application/pdf',
  },
}

My

collection:

export const PrivateFiles: CollectionConfig = {
  slug: 'private-files',
  labels: { singular: 'Private File', plural: 'Private Files' },
  access: {
    create: authenticated,
    delete: authenticated,
    read: authenticated,
    update: authenticated,
  },
  fields: [
    {
      name: 'title',
      type: 'text',
    },
  ],
  upload: {
    staticDir: path.resolve('private/uploads/files'),
  },
};

So by design only authenticated users can view the file. However, the 'server' should also be able to get the file.

How exactly do I go from:

to a raw binary file. Using

will run into auth issues. I can't seem to find any sort of

wrapper around fetch that can do this (something like

with free auth baked in for the server would do the trick.

I don't want to use the hardcoded file path

obvioulsy because I want to use payload to abstract away that implementation detail.

Okay so from what I gathered, there is no built in way to do this so you have to authenticate with Payload even if the request is local to the server.

I believe there are 2 options:

1. Tweak your access controls so they detect the IP address in the request as local.

2. Use a system user account designed to do this and authenticate with user/pass or API key.

I opted for 2nd approach as it seems cleaner.

Docs:

Add to

collection:

  auth: {
    useAPIKey: true,
  },

Then make a new user in UI to be the

account.

Make an API KEY for this user, and use that in your app for local HTTP requests you need to authenticate.

Request looks like:

import User from '../collections/User'

const response = await fetch('http://localhost:3000/api/private-files/file/test.pdf', {
  headers: {
    Authorization: `${User.slug} API-Key ${SYSTEM_USER_API_KEY}`,
  },
})

Its a little weird using an API Key to authentication as a user for a local server request, ideally I'd want some way to bypass auth locacally directly via payload but I couldn't figure out how to do that.

Sorry to ping you directly. Do you know if the above approach is current best practice? I'd hate to be missing something obvious for the above use case.