I have a web server that provides access to public and private images. Anyone can get a public image via the url such as
https://example.com/public/images/some-public-image.jpg. But for private images, only the owner of the image can access them via the link
https://example.com/private/images/some-private-image.jpg, the request needs to have the session id of the authenticated user in the cookies.
To add a public image in an email content, I use
<imag src="https://example.com/public/images/some-public-image.jpg" />in the email HTML content. But cannot use the private link such as
<img src="https://example.com/private/images/some-private-image.jpg" /> because it needs authentication.
What is the common practice to add a private image to the email content?
Is it okay to embed a JWT token in the link like this
<img src="https://example.com/private/images/some-private-image.jpg?token=AdflkndidgX..." />
The server then checks the token validity before returning the image.
Does this approach has security problem?