Properly enabling security for filepicker.io in Meteor

一笑奈何 提交于 2019-12-21 06:59:30

问题


Filepicker by default allows pretty much everybody to add files to your S3 bucket who was clever enough to copy your API key out of the client code and luckily also offers a security option with expiring policies.

But I have no idea how to implement this in Meteor.js. Tried back and forth, installing meteor-crypto-base package, trying to generate the hashes on the server, tried RGBboy's urlsafe-base64 algorithm on https://github.com/RGBboy/urlsafe-base64. But I just do not get any further. Maybe someone can help! Thank you in advance.


回答1:


This is an example of how to do filepicker signed URLs in meteor, based on the documentation here:

var crypto = Npm.require('crypto');
var FILEPICKER_KEY = 'Z3IYZSH2UJA7VN3QYFVSVCF7PI';
var BASE_URL = 'https://www.filepicker.io/api/file';

Meteor.methods({
  signedUrl: function(handle) {
    var expiry = Math.floor(new Date().getTime() / 1000 + 60 * 60);

    var policy = new Buffer(JSON.stringify({
      handle: handle,
      expiry: expiry
    })).toString('base64');

    var signature = crypto
      .createHmac('sha256', FILEPICKER_KEY)
      .update(policy)
      .digest('hex');

    return BASE_URL + "/" + handle +
      "?signature=" + signature + "&policy=" + policy;
  }
});

Note this will need to exist somewhere inside of your server directory so you don't ship the key to the client. To demonstrate that it works, on the client side you can call it like so:

Meteor.call('signedUrl', 'KW9EJhYtS6y48Whm2S6D', function(err, url){console.log(url)});

If everything worked, you should see a photo when you visit the returned URL.



来源:https://stackoverflow.com/questions/18546676/properly-enabling-security-for-filepicker-io-in-meteor

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!