I am creating a webassembly app using the Syncfusion FileManager component. I have secured the API for uploading using the FileManager using the [Authorize] attribute in the controller and setting the Authorization header of the httpclient being used by the FileManager component to the Authorization header of the httpClient I am using throughout the app.
The download function of the FileManager does not allow for this (according to Syncfusion support).
Finally, my question: How can I secure the download api endpoint? Do I really need to secure it? Wouldn't someone have to know that I am using the FileManager component, how to construct an object to send to the download api endpoint AND know what the filename and directory structure is?
I ended up requiring the user to enter their username and password before downloading. I pass the loginModel to the controller and use signInManager to verify the password (this is no more insecure than handling a login). If the account is good, the content is returned; if not, an "unauthorized" message is displayed.