Direct Downloads

This feature is part of release 22.4
Added action=Download in release 24.3
Added action=Consult in release 25.2
Signed URIs were added in release 25.3

Introduction

Using direct downloads, it will be possible to request a direct URL to the original or preview representation of any item.

Contract

A new endpoint without authentication is available as

https://<public host>/representations/<Record Id>?type=<type>

Rights management

When the URL is not signed (see below), then the following rights apply
- The object must be published, formally this means that its MediaHaven Record Status | Record Phase is “Published”
- The object must have a read-right on the public group of the organisation, see https://mediahaven.atlassian.net/wiki/x/MwDF6g
A signed URL is only delivered when the user has read rights on the object

Parameters

Parameter	Description	Values	Default	Since

Parameter	Description	Values	Default	Since
`type`	Determines what content to return for the object	Original, Access, Keyframe	Original	`22.4`
`action`	<default>: Redirect to the content storage download: Download the content instead of a redirect consult: Same as the default, but generates as event `CONSULTATION`	download, consult	-	download (24.3) consult (25.2)
`signature`	When a valid signature is provided, then no further rights management is applied. The expiry parameter specifies how long the signature is valid from the signature date.	base64 encoded	-	`experimental`
`expiry`	In seconds, how long the signed URL will be valid	In seconds	-	`experimental`

Response

When sending a GET request with optional parameters, the gateway service responds with a temporary redirect 302 Found to the appropriate storage URL. We use a temporary redirect because we want the browser to keep using the representation endpoint to count future statistics. When the parameter type is not provided, it is assumed to be Original.

Examples

https://integration.mediahaven.com/representations/ee453c142a22402a8e913c33cde74e9e7ed868dfce2d499fa24bb54830933aee?type=Access
https://integration.mediahaven.com/representations/53a69d4fca334fe2adbe551747e8ed799eb02af6e2944735989ab1d4456a56f9a632b1821dc140638b711f8c3d048862?type=Access&expiry=86400&action=consult&signature=eyJ6aXAiOiJHWklQIiwiYWxnIjoiSFMyNTYifQ.H4sIAAAAAAAA_72Py04DMQxF_yXrjmTHzqsruuQrKidxYJBmWs2kqID4d8LjG1jaOvfY98Pst2yOxpH4VLkVIeKmVmpW5zBw0Kg1pKQZrDSvNjEHcikmyViZnRfnWxJPNmO0WAsyeIo5ILZYqALH6K05mFm6OQ6jZc_EdDAvfR6X37XP5bIO4Lbr9ljHyoIFiIgTIsAELDAlqDxRsELNR5cS_fGrLDoSQ9B17edFVnnS7WF5nqq-DmbTctnqj_UfKva36_c3p1J038es9-tvZecgMH1-AcG3npxuAQAA.3iS1aW-v-XeNVLpT4ylvKWCACrS6tD9uzJ93C3iVVB8

Variants

Download with the original filename instead of redirect `24.3`

An optional parameter action=Download can be provided to download the representation directly. This will start a download with the original filename. (no 302 redirect).

Consultation `25.2`

An optional parameter action=Consultcan be provided to indicate this is a consultation instead of a download and generate as event type CONSULATION instead.

Direct Download via Signed URL `25.3`

The ‘Direct Download via Signed URL’ module enhances the existing direct download functionality by embedding a secure, time-limited signed URL into the record data. This enables clients to share original files directly from storage.

When this module is active:

Fetching records via the rest api (e.g., via GET /records/) will include a signed URL in the field Internal.PathToOriginal.
- Also see Direct Downloads | Configuration below
The signed URL provides temporary access to the original file

An example of what this can look like (Record example abbreviated to just the relevant metadata):

{
  "Internal": {
    "PathToOriginal": "https://mh-devb.mediahaven.com/representations/cf6d0c37708247faa9322ba3403a025f01220cee1ac244da82eb6df8553a88a5e4270ed189aa4bea826c66ef4bb49a18?type=Original&expiry=86400&action=Consult&signature=eyJ6aXAiOiJHWklQIiwiYWxnIjoiSFMyNTYifQ.H4sIAAAAAAAA_72PzU4DMQyE3yXnrmQ7TuLtiSsnnsFJHAii22q7RbSIdyf8SLwB15nRNzPv7nzJbu9KixWKTwmEODXV2RNl9QxegUIDJIJihlqIuaqQ5VibhOBVRIMxJbCKMqtytuHHEqM1zplnRXE713Vze0wcE0YJsnPPWx_NN9t6OS4jcDnbel-H1BoC5qSTtQoTs_lJBOMEM4SQiAmr_uYXPdgf5O7wNFV7zcNcrRzX-o37h2_b9fQ142Htj33Rl6HY2-nnrYCnIB-fxlOoDWkBAAA.2yhoWi40gGFp7LAJqiacDAH5Ma9dIQUeVZZSC_vW9hI"
  }
}

Security features and considerations:

The signed URL expires when the access token of the API user that fetched the record expires.
The signed url will expire after a period, depending on the configuration of the installation. By default this is set to 24 hours.
Users with the function VIEW_BACKEND_SERVICES can disable signing on record request by providing the query parameter applySigning=false on the /mediahaven-rest-api/v2/records endpoint

Statistics

To store the events, we log them as Premis Events on the (flat) data object with types

Event Type	Parameter `type`	Parameter `action`

Event Type	Parameter `type`	Parameter `action`
`DIRECT_DOWNLOAD.ORIGINAL`	Original	Default, Download
`DIRECT_DOWNLOAD.ACCESS`	Access, Keyframe	Default, Download
`CONSULTATION.ORIGINAL`	Original	Consult
`CONSULTATION.ACCESS`	Access, Keyframe	Consult

Configuration

The direct download is done using two Metadata Fields
- PathToOriginal for the original representation
  - This field is available on the following types of records:
    - Structural.RecordStructure = Representation and Administrative.IsOriginal = true
    - Structural.RecordStructure = DataFlat
    - Structural.RecordStructure = Data
- PathToPreview for the access representation
By default, the original is not accessible directly by any means and the response for type=Original will be 403 Forbidden
Upon a service request, the original storage can be made publicly available with the caveat that the knowledge of the RecordId is sufficient to download any original