AWS serverless and javascript - is it secure? - javascript

So I am digging into the 'serverless' architecture and after going over a tutorial about angular as front-end and nodejs lambdas available by an API I am not sure if it is secure at all. The angular website that I did makes calls to AWS api which is linked to lambda function. Because it is angular and it is visible to the client's browser, important secret keys such as - AWSCognito.config.update({accessKeyId: 'something', secretAccessKey: 'something'}); can be seen.
When creating those keys, AWS lets you see them once and then hides the secretAccessKey so I guess it is not quite reasonable to leave it in a js file? I am still learning the fundamentals of AWS so let me know what do you think and what is the best solution, thanks!

Because it is javascript and it is all visible to the client
That isn't true.
JavaScript is a programming language.
JavaScript you send to the browser to run on the browser is visible to the owner of the browser. You seem to be conflating this with "All JavaScript".
JavaScript you send to AWS to run on AWS is not visible to the owner of the browser.

Related

Using Active Directory (with LDAP) to authenticate on an angularjs/javascript fronted - what should the flow of the process be?

I'm working on a project in which we need to authenticate the user in an application by using his/hers windows credentials. Frontend is using Angularjs and backend java.
After doing a sensible amount of research, I discovered that there is no way on the the frontend to obtain directly the Windows user & pass due to security concerns.
But I'm thinking that the whole process should start here, from the frontend, by obtaining these two encrypted credentials or at least a token and sending them to the backend in order to kickstart the ntlm authentication process.
And also, not sure if the user should have to log in the app by typing his windows credentials or if it should automatically be done with ntlm passthrough.
I do not have a good grip on the concept, and that is because most of the related sources that I found are referring to backend solutions (C# 80% of them), but almost nothing for fronted. So, I humbly require some clarifications on this topic. Is there some sort of middleware or npm package that I should use in order to obtain the user & pass, or what would you advise?
Web servers expose certain server variables to code handling requests they serve.
For me, using IIS, these are described here: https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524602%28v%3dvs.90%29
Since I am using IISNode; my node.js environment is completely embedded into IIS; I have access to these server variables. As the link described, each programming language seems to have their own way to access these variables.
So I would doubt it if Java does not have those as well. The exact code to use will depend on you back end.
But a quick search for "java server variables" already yields me the following:
https://docs.oracle.com/cd/E19534-01/820-3288/gawim/index.html for the java access manager.
http://users.polytech.unice.fr/~buffa/cours/internet/POLYS/servlets/Servlet-Tutorial-CGI-Variables.html for old school JSP.
How can I obtain server variables using apache wicket 1.54? for java wicket server.
So have a look at the documentation of your specific web server software or Java API.
There should be a list and example code of how to access these.
Once you obtain this data server side, you can do the LDAP query and then return the results client side.

Alexa Smarthome-Skill without AWS

Im a little confuse atm.
Is it possible to build a Alexa Smarthome Skill without hosting it on AWS.
For my last custom skill I used Alexa-App but this doesn't support the Smarthome-API from Amazon, as far as I know. Also I did not found any library that does support the Smarthome-API.
Maybe you can Help me find a lib, so I can host my Smart home-Skill on my own Server.
Pref language: JavaScript and Ruby
Is it possible to build a Alexa Smarthome Skill without hosting it on AWS.
No, it is not -- not entirely, anyway.
Alexa supports hosting custom skills entirely externally. They call this "hosting a skill as a web service" -- that is, a web-accessible endpoint that Alexa can send requests to. However:
Web services can only be used for custom skills.
https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html
Smart Home Skills must be run in Lambda. Of course, the Lambda function for a Smart Home Skill can make is own external requests to the "device cloud" -- whatever that means to you, and which may involve servers of your own -- but this is done using either HTTPS request or requests using any other custom protocol you might use, either way, from inside the Lambda function that Alexa invokes.
Your skill code, which is hosted as a Lambda function receives and parses the directive, validating the authentication information. Your skill communicates with your systems, or device cloud, using communication channels you've defined to turn on the customer’s kitchen light. (emphasis added)
https://developer.amazon.com/docs/smarthome/understand-the-smart-home-skill-api.html

Can I Use Tumblr.js Without Node.js?

Reading the official documentation for Tumblr.js, it seems to require Node.js. I'd like to trigger a dialog box and let my app access the user blog. Can I make calls with vanilla JavaScript? I'd appreciate your help. I've been looking around the web and there is little information. Thanks.
HTML
<button onclick="loginTumblr();"> Connect Tumblr </button>
JS
function loginTumblr(){
//get user info + token
}
The answer is "probably," but it certainly won't be secure. Accessing an API from from the client side is risky because you'll have to expose your app's private credentials to the end user.
What you said regarding needing node is not necessarily correct; you could use any server side scripting (e.g., PHP) to safety call the api.
In all cases, make sure you are not exposing your keys or endpoints where other people could use your keys to access your personal account.
If you learn OAuth and CORS, you might be able to write an axios or fetch client. Node's "request" module is not easy to reverse engineer into client-side JS code. The browser versions I've seen don't support the OAuth addon it uses.
If you deploy to now.sh or a VPS, or write an Electron desktop client, you could use the node, golang, or python clients in the backend to proxy tumblr requests.
If you deploy to netlify, you could use the node or golang netlify functions to proxy tumblr requests.
If you deploy to any VPS environment or use serverless/lambda/cloudfunctions, you could proxy tumblr requests in most of the available cloud libraries.
I suspect you could compile the golang or c client to webassembly and expose their functions to JavaScript, but I don't recommend trying this.

How does PubNub bind your account with the JavaScript API?

It seems that PubNub binds your account by domain. I can't seem to find a definitive answer in the support nor the API.
By the lack of using publish, subscribe or secret key from JavaScript it seems that your site's domain is what's bound. Is this accurate?
I haven't gotten around to playing with it, but that would be bad because that would mean that I have push up my code to the server just to test.
I need to know about this because I want a way to test my web application using local host.
You are asking about PubNub accounts and binding to a domain. This is a good question regarding how to get started with PubNub. To dispel this quickly, you do not have to provide this information with PubNub in order to connect. You can connect from Anywhere to Anywhere. You can even connect on localhost from your local system. Even better you do not need a web server and can write ordinary html5 and open the file:// from your hard disk. Pretty nifty yah?
Mac:
file:///Users/stephen/index.html
Ubuntu:
file:///home/stephen/index.html
Windows XP:
file:///C:/Documents and Settings/stephen/index.html
Windows 7:
file:///C:/Users/stephen/index.html

Pure Javascript app + Amazon S3?

I'm looking to confirm or refute the following:
For what I have read so far it is not possible to write a web application with only javascript -- no server side logic -- served from Amazon S3 that also store data only to S3 if you need to have multiple clients with private data per client.
The issue I see is the Authorization header required for every Ajax call that would force me to put the signature (and my AWS id) right there in the page source for everybody to see.
Is that correct or I misunderstood the docs?
Are there workarounds?
In short, you are correct.
If your AWS key ends-up in any way on the client-side, you are in trouble.
A possible solution is, of course, to have the user specify their AWS key for storing their data.
I'm working on a project that will do something similar to this, mine will have the users use their own S3 which I will store in HTML5 localStorage. It's a bit tricky, but I've got the basics working.
It involves making an Javascript program that replicates itself into S3, gets itself from S3 and then transfers credentials and control into the S3 loaded version.
I'm using the excellent SJCL to do signature generation and jQuery's ajax functionality for the parts I can.
My work simply initializes the S3 side application and does a test PUT/GET sequence to S3. I also rewrote a JQuery postMessage plugin (which StackOverflow won't let me post for lack of rep) for communicating between my frames.
In my case, I'm trying to fit the entire application into a single HTML file so that I don't have to do as much initial transfer into S3, but perhaps there are other ways to work this out.
iBeans offers a way around this without having to write any server side code. There's an S3 iBean (a developer is working on it to be released in the next few days - watch the mulesoft blog for an announcement) and you can access it right from your javascript. The iBean itself runs on a server so you wouldn't need to store your keys in the javascript.

Categories

Resources