A library for providing an authorization layer between a user's browser and your sensitive data being served by Amazon's CloudFront service.
This project was born out of a need I had for a lightweight authorization server that could sit between a CloudFront distribution and the Courseload API client. It is an expression of a strategy leveraging CloudFront's signed URL feature for serving private content combined with an authorize-every-request constraint. I could not find any good front-to-back solutions out there so I made one myself.
In short, I need an authorization layer sitting between the End User and the Edge Location in this diagram:
Flask-CloudFront does that.
The API is provided by flask_cloudfiles.auth.CloudFilesRedirect
. You will need to create a subclass and override the authorize
method with your own authorization logic. That method should return an integer correlated with an HTTP response code, e.g. 200, 204, 404, 500, etc. Example:
from flask.ext.cloudfiles import CloudFilesRedirect class MyRedirect(CloudFilesRedirect): def authorize(self, *args): result = do_some_stuff(*args) if result: return 200 return 404
You can then call the class instance's go
method to perform the authorization, cryptographic signing & signed URL generation. If you return the value of that method invocation, the user will be redirected to the location you specify:
@app.route('/') def home(): my_redirect = MyRedirect(app.config['CLOUDFRONT_DOMAIN'], code=303, headers={}, **app.config['CLOUDFRONT_CONFIG']) return my_redirect.go()
I chose to make HTTP 303 the default redirect code because by default and by specification HTTP 303 is not cached by browsers. Because the signed URLs are time-bound, caching the redirect could have disasterous results on user experience (i.e. hitting a cached redirect for an expired link == 404). However you can pass whatever code you like when you instantiate your class.
There is one recommended configuration setting and one mandatory.
Mandatory: CLOUDFRONT_CONFIG
. This is a dictionary in the following format:
CLOUDFRONT_CONFIG = { 'priv_key_string': '/path/to/pk-ABCDEF.pem', 'key_pair_id': 'ABCDEF', # How many seconds from the time the signature is generated it will expire. # Keys generated using a value of 60 for this key will expire one minute # after they are created 'expires': 60 }
Recommended: CLOUDFRONT_DOMAIN
. This is a string that refers to the domain or CNAME of your CloudFront distribution, e.g. http://dc1097jtk.cloudfront.net
.