Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mattdeboard/flask-cloudfront

A library for securely serving data from CloudFront using Flask
https://github.com/mattdeboard/flask-cloudfront

Last synced: 23 days ago
JSON representation

A library for securely serving data from CloudFront using Flask

Host: GitHub
URL: https://github.com/mattdeboard/flask-cloudfront
Owner: mattdeboard
Created: 2012-10-13T03:02:37.000Z (about 12 years ago)
Default Branch: master
Last Pushed: 2012-10-23T19:39:09.000Z (about 12 years ago)
Last Synced: 2024-04-17T09:52:28.561Z (7 months ago)
Language: Python
Size: 129 KB
Stars: 0
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.rst

Awesome Lists containing this project

README

        ================

Flask-CloudFront

================

A library for providing an authorization layer between a user's browser and your sensitive data being served by Amazon's CloudFront service.

About

=====

This project was born out of a need I had for a lightweight authorization server that could sit between a CloudFront distribution and the `Courseload `_ API client. It is an expression of a strategy leveraging CloudFront's `signed URL `_ feature for serving private content combined with an authorize-every-request constraint. I could not find any good front-to-back solutions out there so I made one myself.

In short, I need an authorization layer sitting between the End User and the Edge Location in this diagram:

.. image:: http://ubuntuone.com/2ePlghjXJsMuBgLjdV3Yjy

Flask-CloudFront does that.

Usage

=====

The API is provided by ``flask_cloudfiles.auth.CloudFilesRedirect``. You will need to create a subclass and override the ``authorize`` method with your own authorization logic. That method should return an integer correlated with an HTTP response code, e.g. 200, 204, 404, 500, etc. Example::

  from flask.ext.cloudfiles import CloudFilesRedirect

  class MyRedirect(CloudFilesRedirect):

      def authorize(self, *args):

          result = do_some_stuff(*args)

          if result:

              return 200

          return 404

You can then call the class instance's ``go`` method to perform the authorization, cryptographic signing & signed URL generation. If you return the value of that method invocation, the user will be redirected to the location you specify::

  @app.route('/')

  def home():

      my_redirect = MyRedirect(app.config['CLOUDFRONT_DOMAIN'], code=303, headers={},

                               **app.config['CLOUDFRONT_CONFIG'])

      return my_redirect.go()

HTTP 303

--------

I chose to make HTTP 303 the default redirect code because by default and by specification HTTP 303 is not cached by browsers. Because the signed URLs are time-bound, caching the redirect could have disasterous results on user experience (i.e. hitting a cached redirect for an expired link == 404). However you can pass whatever code you like when you instantiate your class.

Configuration

=============

There is one recommended configuration setting and one mandatory.

Mandatory: ``CLOUDFRONT_CONFIG``. This is a dictionary in the following format::

  CLOUDFRONT_CONFIG = {

    'priv_key_string': '/path/to/pk-ABCDEF.pem',

    'key_pair_id': 'ABCDEF',

    # How many seconds from the time the signature is generated it will expire.

    # Keys generated using a value of 60 for this key will expire one minute

    # after they are created

    'expires': 60

  }

Recommended: ``CLOUDFRONT_DOMAIN``. This is a string that refers to the domain or CNAME of your CloudFront distribution, e.g. ``http://dc1097jtk.cloudfront.net``.