javascript - Amazon S3 direct file upload from client browser - private key disclosure -

-

i'm implementing direct file upload client machine amazon s3 via rest api using javascript, without server-side code. works fine 1 thing worrying me...

when send request amazon s3 rest api, need sign request , put signature authentication header. create signature, must use secret key. things happens on client side, so, secret key can revealed page source (even if obfuscate/encrypt sources).

how can handle this? , problem @ all? maybe can limit specific private key usage rest api calls specific cors origin , put , post methods or maybe link key s3 , specific bucket? may there authentication methods?

"serverless" solution ideal, can consider involving serverside processing, excluding uploading file server , send in s3.

i think want browser-based uploads using post.

basically, need server-side code, generate signed policies. once client-side code has signed policy, can upload using post directly s3 without data going through server.

here's official doc links:

diagram: http://docs.aws.amazon.com/amazons3/latest/dev/usinghttppost.html

example code: http://docs.aws.amazon.com/amazons3/latest/dev/httppostexamples.html

the signed policy go in html in form this:

<html>   <head>     ...     <meta http-equiv="content-type" content="text/html; charset=utf-8" />     ...   </head>   <body>   ...   <form action="http://johnsmith.s3.amazonaws.com/" method="post" enctype="multipart/form-data">     key upload: <input type="input" name="key" value="user/eric/" /><br />     <input type="hidden" name="acl" value="public-read" />     <input type="hidden" name="success_action_redirect" value="http://johnsmith.s3.amazonaws.com/successful_upload.html" />     content-type: <input type="input" name="content-type" value="image/jpeg" /><br />     <input type="hidden" name="x-amz-meta-uuid" value="14365123651274" />     tags file: <input type="input" name="x-amz-meta-tag" value="" /><br />     <input type="hidden" name="awsaccesskeyid" value="akiaiosfodnn7example" />     <input type="hidden" name="policy" value="policy" />     <input type="hidden" name="signature" value="signature" />     file: <input type="file" name="file" /> <br />     <!-- elements after ignored -->     <input type="submit" name="submit" value="upload amazon s3" />   </form>   ... </html>

notice form action sending file directly s3 - not via server.

every time 1 of users wants upload file, create policy , signature on server. return page user's browser. user can upload file directly s3 without going through server.

when sign policy, typically make policy expire after few minutes. forces users talk server before uploading. lets monitor , limit uploads if desire.

the data going or server signed urls. secret keys stay secret on server.


Comments

Post a Comment

Popular posts from this blog

javascript - Count length of each class -

-
i have below code in this fiddle . html <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> javascript $('.myname').each(function(){ var text = $(this).html().split(' '), len = text.length, test = $(this).val().length, result = []; console.log('outside: ' + test); for( var = 0; < len; i++ ) { result[i] = '<span class="name-'+[i]+'" >' + text[i] + '</span>'; console.log('inside: ' + test); } $(this).html(result.join(' ')); console.log('after
Read more

What design pattern is this code in Javascript? -

-
this question has answer here: why write “.call(this)” @ end of javascript anonymous function? [duplicate] 4 answers what kind of design pattern , significance of using closure? (function(){ // code here }).call(this); edit then difference between above code , following this keyword still refer same object in both ways. (function(){ // code here })(); thats invoked function expression. more info here: http://benalman.com/news/2010/11/immediately-invoked-function-expression/ the purpose run code while protecting scope (so variables declared within don't leak out global scope. update call sets value of this function being applied on. without it, value set window object, there set outer scope.
Read more

hadoop - Restrict secondarynamenode to be installed and run on any other node in the cluster -

-
i have have cloudera cdh3u4 cluster setup. have secondarynamenode daemon running on 1 of nodes. i have ensure user has root access node on cluster (for example, datanode not have other daemons running) should not able start instance of secondarynamenode daemon on node (thereby having 2 secondarynamenodes on cluster) how can achieve this? thanks in advance. add property hdfs-site.xml namedfs.secondary.http.address valuesecondarynamenode-host address or ip:50090
Read more