Currently you have to provide a bearer token in a header to do anything that requires authorization on the rest api, including downloads
That's a problem because when you're logged in and you click a link for a bitstream that isn't public, but you are permitted to download, you'll get an authentication error. The browser doesn't send that header with the download request automatically, and I haven't found a way to set it manually.
The only option you seem to have when working with a header is to download the file with an ajax request to a javascript object, and once it's complete, prompt the user with a save dialog to store it on their computer.
This has a number of disadvantages: It means the browser's regular download UI isn't used, so if you want to show progress you have to implement it in javascript. But the biggest problem is that when you do it with a javascript call the entire file needs to be stored in memory as it's being downloaded.
As I was looking for how people have solved this issue in the past, an approach that came back a number of times was to add an endpoint to the rest api that can use the existing header based authentication to generate a token that's only valid for a few seconds. That token can then be passed as a GET parameter when downloading something.
So the in the UI, when you click a link to download a private bitstream, the client would first call that new endpoint to generate a short lived token, then add that token to the download URL and redirect the user to that URL. The rest api would use the token in the GET param to verify the user's authorization and return the file.
Here are two articles that go in to more detail about the issue and the token aproach
Currently you have to provide a bearer token in a header to do anything that requires authorization on the rest api, including downloads
That's a problem because when you're logged in and you click a link for a bitstream that isn't public, but you are permitted to download, you'll get an authentication error. The browser doesn't send that header with the download request automatically, and I haven't found a way to set it manually.
The only option you seem to have when working with a header is to download the file with an ajax request to a javascript object, and once it's complete, prompt the user with a save dialog to store it on their computer.
This has a number of disadvantages: It means the browser's regular download UI isn't used, so if you want to show progress you have to implement it in javascript. But the biggest problem is that when you do it with a javascript call the entire file needs to be stored in memory as it's being downloaded.
As I was looking for how people have solved this issue in the past, an approach that came back a number of times was to add an endpoint to the rest api that can use the existing header based authentication to generate a token that's only valid for a few seconds. That token can then be passed as a GET parameter when downloading something.
So the in the UI, when you click a link to download a private bitstream, the client would first call that new endpoint to generate a short lived token, then add that token to the download URL and redirect the user to that URL. The rest api would use the token in the GET param to verify the user's authorization and return the file.
Here are two articles that go in to more detail about the issue and the token aproach