Good day all :slightly_smiling_face:
I wanted to ...
# sstr
Ryan
07/13/2021, 6:02 AMGood day all 🙂
I wanted to protect frontend assets on development deployments with a basic auth prompt in the browser. I think lambda@edge is the way to do this right?
AWS Amplify Console just has a field where you can toggle a password on and off. Would be cool to have that on the SST StaticSite Construct 🙂
f
Frank
07/13/2021, 7:21 AM
Hey @Ryan, are the username/password manually defined in the Amplify console? Or are they coming from an existing User Pool?
r
Ryan
07/13/2021, 7:36 AMYes, it's just predefined. (Well last time I used it!). Just a very simple mechanism to protect the frontend code/assets from the public web.
f
Frank
07/13/2021, 8:24 AM
Got it. I just opened an issue to track the progress on this https://github.com/serverless-stack/serverless-stack/issues/540
Frank
07/13/2021, 8:25 AM
Btw, are you thinking to keep all stages protected? Or just the non-production stages?
Frank
07/13/2021, 8:26 AM
ie. the “prod” stage is publicly viewable; but “dev”, “staging” and other development stages restricted?
r
Ryan
07/13/2021, 12:22 PMIt depends at what stage we are at. In the past we have given production access only to some early potential customers to test out and kept the password on it. Especially if we have had some hard coded information that is related to that customer in the frontend code.
So if I was doing it in SST I'd run it behind an environment variable.
Ryan
07/13/2021, 12:23 PMHere's the docs for amplify console for reference.
https://docs.aws.amazon.com/amplify/latest/userguide/access-control.html
f
Frank
07/13/2021, 6:24 PM
Like having a
.env.prod.local Copy code
SITE_PASSWORD=worldprocess.env.SITE_PASSWORDSITE_PASSWORDFrank
07/13/2021, 6:25 PM
Do you mean somehting like this?
r
Ryan
08/22/2021, 12:54 PMSorry, I completely missed this. Yes, something like that. But I was thinking you could just add a "password" field in the static site construct. Then it could be fed from anywhere. An environment variable would probably be the most common choice. I would also want to define in the environment vars if it was turned on or off too. (eg. Maybe on for a feature branch, off for prod)
f
Frank
08/22/2021, 11:20 PM
Yup, that makes sense!
g
gio
02/15/2022, 9:23 AMhello, are there updates on https://github.com/serverless-stack/serverless-stack/issues/540 ? I would protect a docusaurus doc (hosted with static site) behind a user credentials (or single password)
f
Frank
02/17/2022, 8:40 AM
Hey @gio, we haven’t gotten to this one yet. But I found this post thats about how to acheive this using Lambda@Edge functions https://stackoverflow.com/questions/55874983/basic-user-authentication-for-static-site-using-aws-s3-bucket
Frank
02/17/2022, 8:41 AM
And instead of manually creating the Edge function in AWS console, you can use the aws-cloudfront’s EdgeFunction construct to create it https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.experimental.EdgeFunction.html
Frank
02/17/2022, 8:42 AM
And the Edge Lambda function code from the StackOverflow post should work.
r
Ryan
02/17/2022, 9:57 AMWe use a lambda@edge for auth. Works well, but hard to debug if things go wrong. But for basic auth it's nice and simple. Getting environment variables to them is also horrible.
f
Frank
02/18/2022, 4:00 AM
Hey @Ryan, r u configuring the Edge lambda with CloudFront in ur SST app? if you ever get a chance to share a snippet of how you are configuring the CF distribution construct, we’d love to turn that into an example.