Discussion on "CKEditor5 Image Upload"

Louis Moreaux · 2022-07-20T10:21:21.457Z

While watching the Oracle APEX Office Hours episode New in APEX 22.1 (Part 3): Ed. Improvements, REST Enabled SQL Queries, and easy App Gallery Installs, I saw something I had missed in the release notes: What? Is it really possible to use CKEditor5...

Discussion on "CKEditor5 Image Upload" | Hashnode

Nicolas Pilot

Aug 5, 2022

Hi Louis, Thank you for this amazing blog. It is very helpful.

ORDS Security

Concerning the ORDS First Party Authentication (Apex-Session), do we need to setup something on ORDS for that to work ?

I've spent a lot of time trying to make it working but for some reason ORDS always return 401 Unauthorized error. (I can see in the POST request of my browser the http header "apex-session" with the correct value but ORDS reject the request ).

I've tried using a ORDS OAUTH2 Token and it works properly.

Image Store

Concerning the image storage, I'm not a big fan of storing blob inside the database.

And I also think that there is a better approach to send the images to the storage location without using ORDS and overloading the database with blob handling.

The idea is to send the image directly from the client browser to Google Cloud Storage (or another cloud storage).

GCS provide JSON API to "Initiate a resumable upload session" which return a secure upload URL. We only need to define a PL/SQL Function to initiate an upload session on GCS using OAUTH2 to return an "upload url" to the client. That way, the GCS oauth token is not visible by the client, which is something we want to avoid to secure the bucket content.

The challenge here is to be able to dynamically set the upload url of the "CKEditor Simple upload adaptor" by executing an AJAX Call to execute that PL/SQL function when the user pick an image... + Another challenge is the successful response that the "CKEditor Simple upload adapter" is waiting for : { "url":"....." } Maybe we would have to define a "Custom upload adapter"

Best Regards

Nicolas

Louis Moreaux

Oracle APEX developer

Aug 9, 2022

Hi Nicolas, Thank you for your comment, it means a lot.

To protect ORDS endpoint, you have to define a privilege and protect your module with this privilege. Have you follow this step? OAuth2 is also a valid approach.

I am also not a big fan of blob storage but it's really easy to make it working quickly. I am working on another post with images stored in an OCI bucket. Stay tuned :-)

Louis Moreaux Thank you Louis, Yes, I've followed all the steps, and it is working fine for OAuth2, but for some reasons, the ORDS does not authorize my requests with the "Apex-Session" header. Maybe a cookie issue...

oracle.com/application-development/technologies/r…

Good news for your next post. Would be nice if the images could be sent directly from the client to OCI bucket without going through the database... this would save CPU & Bandwidth...

Another challenge is to be able to automatically compress and resize the images on the client side before uploading to OCI... ;-)

Stefan Dobre

Jul 20, 2022

Thanks Louis again for the blog post! Great job!

If I may add just 2 suggestions:

apex.jQuery("#pFlowId").val() can be written as apex.env.APP_ID and apex.jQuery("#pInstance").val() as apex.env.APP_SESSION
There is no need to pollute the "Execute when Page Loads" attribute. That bit can more elegantly be done directly in the item's JS Init Code:
```
function(options){
  options.executeOnInitialization = editor => {
      editor.conversion.for...
  }
  return options;
}
```

And a couple more things that you may still have to think about:

The content probably won't only be viewed from within the editor. Chances are you'll wish to just render the HTML in a static or dynamic content region somewhere. How would you go about appending that session token then?
You will most likely encounter the concept of "posts" as you won't only be editing the same content each time. In that case, how will you link a post to its images? That is, if a post is deleted, how will you also delete its images?
Similarly, say a user uploads an image, but never actually submits the page. What happens to these "unsaved" images?

I still don't have an elegant solution for these problems, but they're worth thinking about.

- Stefan

This is a great post, thank you!

One thing you try to improve security is to have the POST Handler in an ORDS module secured using OAuth2. Use apex_web_service.oauth_authenticate to get a token and then include the following in the CKEditor initialization to pass the bearer token:

      withCredentials: true,
      headers: {Authorization: 'Bearer &P10_OAUTH_TOKEN.'}

Having the POST handler secured by OAuth2 also allows other services to use it, not just APEX.

Keep the GET image handler in an unsecured ORDS Handler. Generate a random token when you add the image to the table. Append the token as a query string parameter to the URL returned in the POST response e.g.

{
    "url": "example.com/ords/get_ck_image/file/10
}

This way, images included in the HTML will show in a classic report, etc. <img src="example.com/ords/get_ck_image/file/13

In the GET handler, include the token in the where clause:

select content_type, image
from ckeditor_images 
where id = :id
and image_token = :image_token

This isn't completely secure because someone could inspect the HTML and share the link. It does prevent people from trying to guess other image tokens though.

Discussion

CKEditor5 Image Upload

Responses(4)

ORDS Security

Image Store

Recent in Forum

Search Hashnode

CKEditor5 Image Upload

Responses(4)

ORDS Security

Image Store

Recent in Forum