Let's perform the following steps to add authentication requirements to view our uploaded Cloudinary images:

1. First, we will update our upload functions in /middleware/cloudinary.js to default the authentication type of our uploaded images to the authenticated type. This will guarantee that they will be inaccessible without a signed URL to access them:

...
upload: function(image, options) {
  if (!options) options = {};
  options.type = "authenticated";
  ...
},
...
uploadBuffer: function(buffer, options) {
  if (!options) options = {};
  options.type = "authenticated";
  options.discard_original_filename = true;
  ...
},
...

2. We'll also add a new method for getting all our image resource information from Cloudinary using the cloudinary.v2.api.resources API. This API will return a list of images that we have stored in Cloudinary, including the URLs to access them. Using this API, we will be able to get the public_id property needed to fetch a specific image resource from Cloudinary:

...
getImages: function(options) {
  return function(req, res, next) {
    cloudinary.v2.api.resources(options, function(error, result) {
      if (error) {
        return res.status(error.http_code).json(new JSONAPIError({
          status: error.http_code,
          title: 'Cloudinary Error',
          detail: error.message
        }));
      } else {
        req.cloudinary = result.resources;
        next();
      }
    })
  };
},
...

3. We can now add two other methods for working with images. The first getSignedImageById will look for an Express request parameter ID and pass that to our next method getSignedImage, which will actually generate a signed request URL to Cloudinary for the image:

...
getSignedImage: function(name, options) {
  if (!options) options = {};
  options.sign_url = true;
  options.type = "authenticated";
  return function(req, res, next) {
    var image = cloudinary.url(name, options);
    req.cloudinary = image;
    next();
  }
},

getSignedImageById: function(req, res, next) {
  if (req.params && req.params.id) {
    let name = req.params.id;
    return self.getSignedImage(name)(req, res, next);
  } else {
    return res.status(500).json(new JSONAPIError({
      status: 500,
      title: 'Invalid Image Request',
      detail: 'There is no Cloudinary public_id provided.'
    }));
  }
}
...

4. We can now update our /routes/api/images.js route configuration to add a fetch route for all images, as well as a nested route to return a specific image by its public_id. We will make the cloudinary.getImages route return our resources in the JSON API format. We will also make the specific image request actually perform a redirect to the returned Cloudinary signed URL:

...
var serializer = new JSONAPISerializer('images', {
  id: 'public_id',
  attributes: ['url', 'secure_url', 'originalname', 'bytes', 'created_at', 'width', 'height', 'type']
});
...
router.get('/', cloudinary.getImages({type: "authenticated"}), function(req, res) {
  res.json(serializer.serialize((req.cloudinary)));
});

router.get('/:id', cloudinary.getSignedImageById, function(req, res) {
  res.redirect(req.cloudinary);
});

module.exports = router;

5. Now, if we restart our Express web server and navigate to localhost:3000/api/images, we will see a list of images we have uploaded to Cloudinary. If we copy the id property out from one of those entries and make a request to localhost:3000/api/images/:id, we will see that an image from Cloudinary is returned to us if we are authenticated as an admin for our backend. If we are not authenticated, we will get an error from our Express web server instead.