rust 44 lines · 8 steps

Streaming file downloads in Axum

An Axum handler that safely serves a file from disk as a streamed HTTP response with proper headers.

Explained by highlit

Axum Intermediate streaming file-serving path-traversal error-handling http-headers

1use axum::{
2    body::Body,
3    extract::Path,
4    http::{header, StatusCode},
5    response::{IntoResponse, Response},
6};
7use tokio::fs::File;
8use tokio_util::io::ReaderStream;
9 
10pub async fn download(Path(filename): Path<String>) -> Result<Response, StatusCode> {
11    if filename.contains('/') || filename.contains("..") {
12        return Err(StatusCode::BAD_REQUEST);
13    }
14 
15    let path = std::path::Path::new("./storage").join(&filename);
16 
17    let file = File::open(&path).await.map_err(|err| match err.kind() {
18        std::io::ErrorKind::NotFound => StatusCode::NOT_FOUND,
19        _ => StatusCode::INTERNAL_SERVER_ERROR,
20    })?;
21 
22    let content_length = file
23        .metadata()
24        .await
25        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
26        .len();
27 
28    let stream = ReaderStream::new(file);
29    let body = Body::from_stream(stream);
30 
31    let content_type = mime_guess::from_path(&path)
32        .first_or_octet_stream()
33        .to_string();
34 
35    let disposition = format!("attachment; filename=\"{filename}\"");
36 
37    Ok(Response::builder()
38        .header(header::CONTENT_TYPE, content_type)
39        .header(header::CONTENT_LENGTH, content_length)
40        .header(header::CONTENT_DISPOSITION, disposition)
41        .body(body)
42        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
43        .into_response())
44}

01 / 01

STEP 01

Walkthrough

Space play ←→ step click any line

Three takeaways

1Validate user-supplied filenames before touching the filesystem to block path-traversal attacks.
2Streaming a file with ReaderStream avoids loading the whole thing into memory.
3Mapping each error kind to a status code gives clients meaningful failure responses.

Related explainers

rust

use std::collections::HashMap;
use std::sync::{Arc, Mutex};
use std::thread;

Aggregating metrics across threads in Rust

concurrency shared-state mutex

Intermediate 7 steps

package main
 
import (
	"errors"

Parsing and validating CLI flags in Go

cli-parsing validation error-handling

Intermediate 8 steps

java

public class ThumbnailProcessor {
 
    private static final int MAX_CONCURRENCY = 4;

Bounded parallel thumbnail rendering in Java

concurrency thread-pool futures

Intermediate 7 steps

rust

use std::sync::{mpsc, Arc, Mutex};
use std::thread;
use std::time::Duration;

Building a thread pool in Rust

concurrency channels thread-pool

Advanced 9 steps

python

import csv
import io
from datetime import datetime

Streaming a CSV export in Flask

streaming generators csv

Intermediate 9 steps

rust

use std::time::Instant;
use tracing::info;
 
pub struct Timer {

A scope-guard timer with Drop in Rust

raii drop-guard timing

Intermediate 7 steps

Share this explainer

Here's the card — post it anywhere.

Streaming file downloads in Axum — share card

Made with highlit — turn any snippet into a walkthrough like this in about a minute.

Explain your code

Streaming file downloads in Axum

Walkthrough

Related explainers

Aggregating metrics across threads in Rust

Parsing and validating CLI flags in Go

Bounded parallel thumbnail rendering in Java

Building a thread pool in Rust

Streaming a CSV export in Flask

A scope-guard timer with Drop in Rust

Share this explainer

Embed this explainer