Handle aws key expiration

TTLabs / EvaporateJS

Javascript library for browser to S3 multipart resumable uploads

1.82k stars 207 forks source link

Handle aws key expiration #446

Open NZhuravlev opened 4 years ago

NZhuravlev commented 4 years ago

In caseaws_key is only valid for 1 hour, how should I handle the situation when the upload process has been started with [Evaporate#add](https://github.com/TTLabs/EvaporateJS/wiki/Evaporate.prototype.add()) using one accessKey, but URL was signed with a different key?

In signResponseHandler I have both signed URL and an access key it was signed with. But according to the [Evaporate#add](https://github.com/TTLabs/EvaporateJS/wiki/Evaporate.prototype.add()) source code there is no way to update fileUpload configuration.

jakubzitny commented 4 years ago

Not sure this is possible directly, maybe with playing around with custom signing method where you'd make temporary keys and sign them in client.

Also, why not make the key validity longer? Or per-upload?

NZhuravlev commented 4 years ago

Per-upload would be too much - we upload thousands of files. And there is no control over validity time.

hhiptmair commented 4 years ago

The expiration time of the used temporary credentials is unfortunately not in our hands as we are running our application on EC2 instances (with an attached role) and use the functionality provided by AWS APIs to generate them.
Ideally, we would like to avoid signing on the client side to not expose the secret to it for security reasons.

Do you agree that setting the aws_key after having received the signed URL is a good solution in this scenario? Do you think it would be hard to implement such a change?

jakubzitny commented 4 years ago

I see.. I am not sure, PRs welcome :)

NZhuravlev commented 4 years ago

@jakubzitny is it possible to handle this situation if we use customAuthMethod?

jakubzitny commented 4 years ago

Yes, but that requires signing on client where you'd need a secret. We do it with temporary secrets that backend sends to client only for specific time, iam and location on s3.

Or you can do extra request to you signing backend custom url, but you could do that with signerUrl.

hhiptmair commented 4 years ago

@jakubzitny could you share some code with us how you do the signing on the client? How do you deal with the situation when the temporary credentials expire while there are still files in the upload queue?

jakubzitny commented 4 years ago

I shared something here: https://github.com/TTLabs/EvaporateJS/issues/402#issuecomment-449481388

And we don't do that. We have separate credentials for each upload and if something fails or takes a long time we create a new credentials and start over.