https://serverless-stack.com/ logo
#sst
Title
# sst
r

Ryan

07/13/2021, 6:02 AM
Good day all 🙂 I wanted to protect frontend assets on development deployments with a basic auth prompt in the browser. I think lambda@edge is the way to do this right? AWS Amplify Console just has a field where you can toggle a password on and off. Would be cool to have that on the SST StaticSite Construct 🙂
f

Frank

07/13/2021, 7:21 AM
Hey @Ryan, are the username/password manually defined in the Amplify console? Or are they coming from an existing User Pool?
r

Ryan

07/13/2021, 7:36 AM
Yes, it's just predefined. (Well last time I used it!). Just a very simple mechanism to protect the frontend code/assets from the public web.
f

Frank

07/13/2021, 8:24 AM
Got it. I just opened an issue to track the progress on this https://github.com/serverless-stack/serverless-stack/issues/540
Btw, are you thinking to keep all stages protected? Or just the non-production stages?
ie. the “prod” stage is publicly viewable; but “dev”, “staging” and other development stages restricted?
r

Ryan

07/13/2021, 12:22 PM
It depends at what stage we are at. In the past we have given production access only to some early potential customers to test out and kept the password on it. Especially if we have had some hard coded information that is related to that customer in the frontend code. So if I was doing it in SST I'd run it behind an environment variable.
Here's the docs for amplify console for reference. https://docs.aws.amazon.com/amplify/latest/userguide/access-control.html
f

Frank

07/13/2021, 6:24 PM
Like having a
.env.prod.local
file with:
Copy code
SITE_PASSWORD=world
And in the CDK code, you set the StaticSite’s password to
process.env.SITE_PASSWORD
And when you deploy through a CI environment,
SITE_PASSWORD
will come from the build environment
Do you mean somehting like this?
r

Ryan

08/22/2021, 12:54 PM
Sorry, I completely missed this. Yes, something like that. But I was thinking you could just add a "password" field in the static site construct. Then it could be fed from anywhere. An environment variable would probably be the most common choice. I would also want to define in the environment vars if it was turned on or off too. (eg. Maybe on for a feature branch, off for prod)
f

Frank

08/22/2021, 11:20 PM
Yup, that makes sense!
g

gio

02/15/2022, 9:23 AM
hello, are there updates on https://github.com/serverless-stack/serverless-stack/issues/540 ? I would protect a docusaurus doc (hosted with static site) behind a user credentials (or single password)
f

Frank

02/17/2022, 8:40 AM
Hey @gio, we haven’t gotten to this one yet. But I found this post thats about how to acheive this using Lambda@Edge functions https://stackoverflow.com/questions/55874983/basic-user-authentication-for-static-site-using-aws-s3-bucket
And instead of manually creating the Edge function in AWS console, you can use the aws-cloudfront’s EdgeFunction construct to create it https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.experimental.EdgeFunction.html
And the Edge Lambda function code from the StackOverflow post should work.
r

Ryan

02/17/2022, 9:57 AM
We use a lambda@edge for auth. Works well, but hard to debug if things go wrong. But for basic auth it's nice and simple. Getting environment variables to them is also horrible.
f

Frank

02/18/2022, 4:00 AM
Hey @Ryan, r u configuring the Edge lambda with CloudFront in ur SST app? if you ever get a chance to share a snippet of how you are configuring the CF distribution construct, we’d love to turn that into an example.