This multi-cloud storage abstraction is implemented as a Java-based multi-cloud storage API and supports GoogleDrive, DropBox, Microsoft Azure and Amazon Web Services as sample service providers.
![]()
Field: Amazon S3 File UploadThis extension functions as a basic replacement for file uploads, allowing hosting on Amazon S3 (it requires an ). Uploaded files are world readable. It is not considered feature-complete; there is much additional functionality that could be added.
If you have input, please contact us at the. Installation. Upload /s3uploadfield to your Symphony /extensions folder. Enable it by selecting the 'Field: Amazon S3 Upload', choose Enable from the with-selected menu, then click Apply. Under Preferences, add your S3 Access Key ID and Secret Access Key.
You can now add the 'Amazon S3 File Upload' field to your sections. Select the bucket you wish to store files in from the dropdown.OriginThis extension is a variation of the 'Unique File Upload Field' extension by Michael Eichelsdoerfer and the Akismet extension (for System Preferences) by Alistair Kerney. It uses the written by Donovan Schonknecht. This extension was started by Brian Zerangue, taken over by Andrew Shooner, and some slight modifications to get it working with Symphony 2.2 were made by Scott Tesoriere.
![]()
I'm implementing a direct file upload from client machine to Amazon S3 via REST API using only JavaScript, without any server-side code. All works fine but one thing is worrying me.When I send a request to Amazon S3 REST API, I need to sign the request and put a signature into Authentication header.
To create a signature, I must use my secret key. But all things happens on a client side, so, the secret key can be easily revealed from page source (even if I obfuscate/encrypt my sources).How can I handle this? And is it a problem at all? Maybe I can limit specific private key usage only to REST API calls from a specific CORS Origin and to only PUT and POST methods or maybe link key to only S3 and specific bucket? May be there are another authentication methods?'
Serverless' solution is ideal, but I can consider involving some serverside processing, excluding uploading a file to my server and then send in to S3. I think what you want is Browser-Based Uploads Using POST.Basically, you do need server-side code, but all it does is generate signed policies.
Once the client-side code has the signed policy, it can upload using POST directly to S3 without the data going through your server.Here's the official doc links:Diagram:Example code:The signed policy would go in your html in a form like this.Key to upload: Content-Type: Tags for File: File:
This forces your users to talk to your server before uploading. This lets you monitor and limit uploads if you desire.The only data going to or from your server is the signed URLs. Your secret keys stay secret on the server. You're saying you want a 'serverless' solution. But that means you have no ability to put any of 'your' code in the loop. (NOTE: Once you give your code to a client, it's 'their' code now.) Locking down CORS is not going to help: People can easily write a non-web-based tool (or a web-based proxy) that adds the correct CORS header to abuse your system.The big problem is that you can't differentiate between the different users.
You can't allow one user to list/access his files, but prevent others from doing so. If you detect abuse, there is nothing you can do about it except change the key. (Which the attacker can presumably just get again.)Your best bet is to create an 'IAM user' with a key for your javascript client. Only give it write access to just one bucket. (but ideally, do not enable the ListBucket operation, that will make it more attractive to attackers.)If you had a server (even a simple micro instance at $20/month), you could sign the keys on your server while monitoring/preventing abuse in realtime.
Without a server, the best you can do is periodically monitor for abuse after-the-fact. Here's what I would do:1) periodically rotate the keys for that IAM user: Every night, generate a new key for that IAM user, and replace the oldest key. Since there are 2 keys, each key will be valid for 2 days.2) enable S3 logging, and download the logs every hour. Set alerts on 'too many uploads' and 'too many downloads'. You will want to check both total file size and number of files uploaded. And you will want to monitor both the global totals, and also the per-IP address totals (with a lower threshold).These checks can be done 'serverless' because you can run them on your desktop. S3 does all the work, these processes just there to alert you to abuse of your S3 bucket so you don't get a giant AWS bill at the end of the month.).
Adding more info to the accepted answer, you can refer to my blog to see a running version of the code, using AWS Signature version 4.Will summarize here:As soon as the user selects a file to be uploaded, do the followings:1. Make a call to the web server to initiate a service to generate required params.In this service, make a call to AWS IAM service to get temporary cred.Once you have the cred, create a bucket policy (base 64 encoded string). Then sign the bucket policy with the temporary secret access key to generate final signature.send the necessary parameters back to the UI.Once this is received, create a html form object, set the required params and POST it.For detailed info, please refer. To create a signature, I must use my secret key. But all thingshappens on a client side, so, the secret key can be easily revealedfrom page source (even if I obfuscate/encrypt my sources).This is where you have misunderstood. The very reason digital signatures are used is so that you can verify something as correct without revealing your secret key.
In this case the digital signature is used to prevent the user from modifying the policy you set for the form post.Digital signatures such as the one here are used for security all around the web. If someone (NSA?) really were able to break them, they would have much bigger targets than your S3 bucket:).
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |