Comments (6)
joonhocho
commented on September 26, 2024
There's already a repo that does that https://github.com/tj/node-s3-policy, but it's not being maintained and it's for v2, not v4 signature.
from react-native-aws3.
joonhocho
commented on September 26, 2024
I created a repo with little refactoring to the code. https://github.com/joonhocho/s3-policy-v4
from react-native-aws3.
benjreinhart
commented on September 26, 2024
Hey @joonhocho,
Thanks for your interest. I don't believe it's necessarily a bad idea so long as you're not sending over your root account credentials or credentials that otherwise have read/write access to protected resources that you don't want to be public. AWS has IAM user & permissions which you can use to create a user with certain permissions and then you can bundle that user's access key and secret key with your app. For my projects, I created a user who has as little permissions as possible. In my case, the IAM user has can only GetObject and PutObject to one specific directory which is essentially a public directory anyways. Other than that, our IAM user cannot access anything.
If you'd like to create those permissions on the server that's great, I believe there are many libraries out there that accomplish that in addition to the one you extracted from this library, including Amazon's own node SDK. However, I do not wish to perform an extra API call every single time I suspect a user is about to upload a photo and additionally my server is not in written in Node.
from react-native-aws3.
joonhocho
commented on September 26, 2024
Thanks for your answer!
I have a question. If you bundle your IAM's access key and secret key together with your app, couldn't hackers get an access to those values and abuse them?
from react-native-aws3.
benjreinhart
commented on September 26, 2024
I'm sure there is a way, though I'm no expert. My guess is that would maybe require some reverse engineering, although perhaps not as much as if it was bundled with code that was compiled to a binary (don't believe the JS bundle is compiled before being shipped).
I'm not the best person to ask for this. All I know is that I only ship credentials that would have relatively low impact if they were to fall into the wrong hands. In general, I'm sure it's still best practice to do this on server. I'll consider adding better support for server side generation of policies.
from react-native-aws3.
joonhocho
commented on September 26, 2024
I agree with you. Thanks!
from react-native-aws3.
Related Issues (20)
- Mulitple upload HOT 2
- I have only identityPoolId. So, what should I do? is this library support?
- File Upload Dont work in Android HOT 3
- A server with the specified hostname could not be found. HOT 2
- How use Amazon S3 Transfer Acceleration
- postResponse null issue HOT 1
- How to upload multiple files? `Solution`
- Write error: ssl=0x752c77f708: I/O error during system call, Broken pipe
- {"headers": {}, "status": 0, "text": "Stream Closed"} HOT 13
- How to access(get uploaded file) the private bucket in aws s3 repo ?
- Unable to upload video when bucket name contains dots eg. domain names
- FormData and XMLHttpRequest are not defined
- Google play - Leaked AWS credentials HOT 1
- Failed to upload image to S3
- Abort upload HOT 2
- Stream Closed HOT 10
- Error :- read failed: EBADF (Bad file descriptor) when upload image. HOT 2
- Check s3 folder size through RNS3
- Is this going to be affected by AWS’s Move to Its Own Certificate Authority?
- In Android its not working HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from react-native-aws3.