So, I'm writing a web application in node.js where users can upload photos, and they can specify some access control settings on every photo (public, private, friends only).
I then check the users' session key on every request to ensure that they have access. If they do, I send them the file by opening it using fs and piping it to the response object.
However, when I benchmark this with apachebench, I get around 1500 requests per second. If I remove all the database stuff, it doesn't get much faster. By comparison, Nginx serves 17000 requests per second on the same photo.
Obviously this order-of-magnitude difference is going to be a huge cost problem if my service takes off.
Is there a better way to control access while preserving static-like performance, apart from making them all public?
Edit: realistically, the file is going to be hosted on S3, not in the filesystem. So node will be acting less as a static fileserver and more as an http proxy, which I suspect it will be much better at.
Use an S3 signed URL. A signed URL is a temporary URL for private files that you can send to a single user that references an S3 object.
You can also put an expiration time on a signed URL so it doesn't stick around forever.
So the flow would look like this:
Here's a related blog post: Amazon S3 Signed URLs with NodeJS.