Publishing Amazon AWS credentials for account with 1 permission - javascript

I have an piece of code I want to live on a static website but I want it to pull the latest version of a file in an Amazon AWS S3 bucket to display a link for download. I'm not requiring the user to authenticate in any way with my site.
The API I'm using (aws-sdk for javascript) requires credentials to perform any operation, even on a public bucket. My plan for listing the files is to create an IAM user that can only access a subfolder in this bucket through the following policy to do what I need:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfDLFolder",
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::cobstatic.com"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"dl/*"
]
}
}
}
]
}
Is this secure? Is there a better solution?

Related

Loading project file on AWS S3 giving error 403: Forbidden

I have uploaded to AWS basic app where I am loading few assets. For some reason these models are throwing this error:
Error: fetch for “https:…/model1.glb” responded with 403: Forbidden
I have uploaded few test apps to AWS before without any issues. Bucket policy is setup and permissions are all public.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::ts1/*"
}
]
}
Edit: the app was built with Vite and I am hosting dist folder
In my case the solution was putting the file into public folder. I am loading the asset now from this path './assets/models/plant1.glb'. For whatever reason that was the whole issue, works now on AWS and Firebase hosting.

FirebaseAuth requests blocked by cors policy in js app

I know that similar questions exist, but I didn't find a solution for me.
I have a built-in Flutter web app that is compiled into javascript. I had it hosted on Firebase Hosting. The in-app first screen is the login page which uses FirebaseAuth for logging. Whenever the first time website is open - all internal library requests have status failed. When after that I press CTRL+F5 everything works smoothly.
Here is a comparison of the same first internal request. On left is successful one, on right one which fails due to "** has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'."
I found out about the configuration of headers for Firebase Hosting, so I did it:
{
"hosting": {
"public": "",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
],
"headers": [ {
"source": "**",
"headers": [
{
"key": "Access-Control-Allow-Origin",
"value": "*"
},
{
"key": "Access-Control-Allow-Methods",
"value": "DELETE, POST, GET, OPTIONS"
},
{
"key": "Access-Control-Allow-Headers",
"value": "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"
}
]
}]
}
}
In app there is a simple initialization of a firebase in didChangeDependencies with required data. Then FirebaseAuth.instance.signInWithEmailAndPassword(...) On index.html section about firebase:
<script src="https://www.gstatic.com/firebasejs/7.7.0/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.7.0/firebase-auth.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.7.0/firebase-firestore.js"></script>
<script src="main.dart.js" type="application/javascript"></script>
I have tested it in Chrome many times and always failed. Only on localhost runs smoothly
More info:
requests on "normal" (without clearing cache) return to page:
requests after CTRL+F5 on the same site:
Those blurred on red are the URL of my app
The cause of this issue was from the service worker blocking Firebase Auth calls on web. This has been fixed as mentioned on this GitHub issue thread. Updating to the latest version of firebase_auth plugin should fix the issue.

Getting request body as a string from API gateway, expecting JSON content

I have recently started to create a slack slash command bot for learning purpose. I am getting the different format of request body from API gateway and nodejs app on EC2 server. I just want to get JSON format of request body from API gateway. How can get it?
Let's have a look at both the body format and serverless.yml file.
First, I have installed the serverless framework & created the serverless.yml file with the following code,
service: as-serverless-slack-bot
# NOTE: update this with your service name
# You can pin your service to only deploy with a specific Serverless version
# Check out our docs for more details
# frameworkVersion: "=X.X.X"
provider:
name: aws
runtime: nodejs8.10
functions:
info:
handler: handler.info
events:
- http:
method: post
path: slack/info
cors: true
Now, I have deployed it successfully. However, when I execute slack slash command, I receive request body in string format from API gateway,
body: 'token=XXXXXX&team_id=XXXXXXXX&team_domain=XXXXXXX&channel_id=XXXXXXX&channel_name=XXXXXX&user_id=XXXXXX&user_name=XXXXXXX&command=%2Finfo&text=about+users&response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2XXXXXXX%2XXXXXXXXXXX&trigger_id=562173962614.55XXXXXXXXX.326e28e8599XXXcacf0XXXXXa'
While, for the same action, I am getting JSON formatted request body in EC2 nodejs app.
{
"body": {
"token": "xxxxxxxxx",
"team_id": "xxxxxx",
"team_domain": "xxxxxx",
"channel_id": "xxxx",
"channel_name": "xxxx",
"user_id": "xxx",
"user_name": "xx",
"command": "/info",
"text": "about users",
"response_url": "https://hooks.slack.com/commands/x/x/x",
"trigger_id": "560161450593.558xxxxxxxx3.3741c456xxxxx05cc6xxx62"
}
}
So, how can I get request body in JSON format from API gateway?
This is correct. Default lambda integration is via "lambda proxy" which bypasses API Gateway's request/response transformers. You basically get the raw payload to deal with.
If you want API Gateway to do some of the work, you need to switch integration to lambda and configure API Gateway to accept application/json as a request type.
https://serverless.com/framework/docs/providers/aws/events/apigateway#lambda-integration

Amazon S3 javascript and css files 403

I have some javascript and css files linked in head tag of my page. All the page content (index.html page and javascript and css files) is located in a bucket. When I launch index.html page, I get 403 errors on all those javascript and css files:
Failed to load resource: the server responded with a status of 403 (Forbidden)
This must be some setting on amazon S3 which prevent these files from accessing?
Can you help me resolve this?
You need to check if your files are configured as public:
Or grant permissions using a Bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
}
]
}

Chrome App Identity Login Not Working

I tried using chorome.identity to auth my app but it seems NWJS can not load login page that provided by chrome at chrome://chrome-signin/?access_point=6&reason=0.
I have my package.json just like this:
"permissions": ["tabs", "identity", "storage", "https://www.googleapis.com/*",
"https://*.googleusercontent.com/*",
"https://ssl.gstatic.com/",
"https://www.googleapis.com/",
"https://accounts.google.com/",
"chrome://chrome-signin/?access_point=6&reason=0"],
"oauth2": {
"client_id": "xxxxxx.apps.googleusercontent.com",
"scopes": [
"https://www.googleapis.com/auth/drive"
]
},
"key": "MIIBIjANBxxxxxxx"
and this is my code:
chrome.identity.getAuthToken({'interactive': true}, function (token) {
if (chrome.runtime.lastError) {
console.log(chrome.runtime.lastError);
return;
}
console.log('Tokennya adalah', token);
});
is there any wrong code I've written?
Mostly your oauth2 client_id does not match the package id of your extension. When generating oauth2 token for chrome app, it will ask for your app's web store id after you upload the initial app with the manifest. Check if it is the same as that of your extension loaded to the chrome for development. If not, give the local extension instead of the web store id. And use that client_id in your manifest for development. Later on change it to the webstore url id to publish.
And there is no need for "chrome://chrome-signin/?access_point=6&reason=0" url under permissions.

Categories

Resources