I need you help. I'm currently trying to develop a secure file download in PHP and WordPress. I've already done the upload and deletion part but now I need to handle the download - somehow.

The file get's saved inside a deny from all folder in the wp-uploads directory.

Currently I have a table with an entry for each file and one download button at the top. When I now select some rows and click the download button, I'm doing an AJAX request to my backend:

$("#storage-download-btn").click(function() {
  let data = {
    action: "download_from_storage",
    selected_storage_files: getSelectedStorageFiles()
  };

  $.post(ajax_url, data, function() {}).success(function() {}).fail(function(response) {});
});

During this request I've planned to do some checks:

1. Does the file/files exists?
2. Is the request valid?
3. Is the encrypted filename saved in the DB?

If everything is true, I need to download the file somehow. I saw a plugin using query_vars by sending a result link to the browser which get's loaded and this downloads the file. Is this is a good idea? Or is there something better?

I've tried setting query vars but I'm not sure if this is secure enough and good because I only want to allow file download via my AJAX request and the checks there.