express handlebars.js private secure-coding

How can I access secure files with express?

nodeapp
   -public
            -CSS
                       -style.css
   -pictures
            -secretImage.png
   -views
            -index.hbs
            -login.hbs
            -profile.hbs
   -server.js

const staticFiles = path.join(__dirname, './public')
app.use(express.static(staticFiles))
app.set('view engine', 'hbs')

I'm keeping my css in the public directory accessed in html like this: href="/css/style.css" which is fine, but I need to store some pictures that should only be available to users that are logged in. If my pictures are in the pictures folder, how can I access them?

Solution

You can use the sendFile method...

app.get('/picture/:pictureName', (req, res) => {
     const valid = /* Do your logic to grant access */

     if (valid === false) {
         return res.status(403).send('Not allowed')
     }

     res.sendFile('your file path')
})

What is the right way to reload express middleware?
Swagger 3.0 - cannot add parameters to query parameter
is there a proper way to handle status for error validation?
How to verify the size of an Image returned through a GET request from OpenLibrary API on Node.js Axios and Express
Check DKIM Signature From Domain
How to use kubernetes secrets in nodejs application?
NestJS : Interceptor both map and catchError
Send a set-cookie header to a redirect url in node.js
Error: RangeError [ERR_BUFFER_OUT_OF_BOUNDS] when Fetching Document from Firestore
passport-oauth2 client how to use profile data received
Express Error middleware doesn't catching errors
Node.js (with express & bodyParser): unable to obtain form-data from post request
Why is response.data an html string instead of json object? node.js, express.js, react
What is process.env.PORT in Node.js?
Using Webmail with Nodemailer
typescript error - cannot find name 'process'
Insomnia : Error: SSL peer certificate or SSH remote key was not OK
How can I get Express.js to 404 only on missing routes?
ERROR : 0A00018E:SSL routines::ca md too weak [node js]
How can i create a logger middleware in express without any package or library
check if any other users have the same email in express-validator
How do I setup a SSL certificate for an express.js server?
Vercel + Express: Can't hit any endpoint but root
Having problem deploying express server on vercel [404 page not found]
ExpressJS : res.redirect() not working as expected?
How to allow ':' character in Node.js Express routes (Google custom methods)
nodemon + express, listen port =?
AWS SDK file upload to S3 via Node/Express using stream PassThrough - file is always corrupt
Couldn't save data in to mongodb
Why does Zod make all my schema fields optional?