Is it possible to make a Google Drive file accessible to an API key, but not to anonymous users?

Question

We have a company website that is to host training videos. The website is available to anyone on the internet (users can login from home), but requires a username/password to login to it to see the videos. The videos contain private company information, and while we want employees to login to the website to watch the videos, we do NOT want them to download the videos and distribute them.

While we host the actual web server on our in-house servers, the HD videos take a lot of bandwidth, and we would prefer to store them on google drive, and simply have the HTML5 player from the website link to those videos, so the actual data is coming from google.

The HTML5 player on our website requires a direct link to the raw video files on the google drive. Using the actual google drive options, if we use the "shareable link", it links to a google page - not the raw data file. We found that we can link to the raw data file by creating a google API key, and using a link in this form:

https://www.googleapis.com/drive/v3/files/FILE_ID?key=API_KEY&alt=media

Where FILE_ID is the file's ID from google drive, and API_KEY is our API key.

This works great, as long as the file permissions in google drive on those videos are set to allow access to anyone with a link can view the file.

The problem we have is that if an authenticated user (an employee) on our website opens the javascript source code, or the browser's network tab (web developer browser tools), they can see this exact URL, download the video, and distribute it, letting others watch it without going through our website.

The API key itself can be locked down in such a way as to only be usable if the request comes with a particular domain name set in the referer field, which means that URL can't be directly used by users anymore (not without users being smart enough to fake a request with a referrer field). This works great, and we'd be happy with that, except that a sufficiently smart person can quickly find the link their browser downloads the video from on google drive, copy the ID of the file, remove the API key portion, and download it as an anonymous user, since access is granted to anyone with a link.

My question is this: is there any way to have google lock down the file so that it is accessible using an API key, but NOT accessible to anonymous users?

The ultimate goal is for us to upload our videos to google drive, have a URL (which may or may not contain keys as parameters) that will let us access the raw video files directly, which we can use in an HTML5 <video> tag as a source, but if a user of our website goes digging through our source code with their browser and finds this URL, they won't be able to access the video directly from google.

Answer 1

The API KEY is of no help. It's there to implement application quotas, not to provide security. My suggestion would be to use https://developers.google.com/drive/api/v3/reference/files/copy to make a short lived duplicate on demand. Having said that, alexwennerberg is correct.

Answer 2

As long as the video is being rendered in a browser, there is no practical way to prevent users from downloading it. You can use obfuscation methods to potentially make this more difficult, but it would take a lot of effort, and a dedicated and knowledgeable user would still be able to evade them -- hence why things like YouTube downloaders and Netflix downloaders exist. See this answer: https://video.stackexchange.com/questions/17174/how-to-prevent-users-from-downloading-videos