0

I am making a databaseless website on aws lambda. A user will be able to post a message. And if he has the right password (which will be a url like example.com/pageid/edit/passwordkey/) he will be able to edit the page too. I want to be able to authenticate a user without a database. I'm using s3 but data on s3 will be public so I cannot store the password in s3.

This is my solution at the moment: 

function save(pageid,data){
    s3.putObject({Key:pageid,Body:data});
    password = sha256(pageid + "SALTPHRASE");
    print({password:password});
}
function authenticate(pageid,password,newdata){
    if(sha256(pageid+"SALTPHRASE") == password){
        s3.putObject({Key:pageid,Body:newdata});
    }
}

Problem with this approach is if at any future date someone learn the saltphrase. They can access every data on the website because pageid's are public.

I am not good at encryption subject, I have some basic understanding only so I'm not sure if this can work. And how can I make it on nodejs. To be more specific I want to generate public and private keys using SSL like encryption. So that I'm not dependent on one single salt that I cannot change in future.

  • I generate a public and private key
  • I save the public key with the file, give private key to the user
  • When I am authenticating I simply encrypt a message with public key on the file and decrypt it with user provided private key. If message is the same I authenticate the user.

I do not know which libraries can do this (more specifically in nodejs). Which method of encryption is the best or if this method has it's own weaknesses.

Thank you.

chickens
  • 19,976
  • 6
  • 58
  • 55
  • please limit your questions to a single topic / question, otherwise you won't get complete answers – gusto2 Mar 31 '18 at 19:21

2 Answers2

0

When sticking to AWS, for authentication you may want to have a look at the Cognito service. It's effectively a complete identity management (managing users, groups,..) with federation options and social network logins. For public access it has generous free tier and reasonable pricing. (you will need to learn about OAuth and chew through Cognito documentation)

want to be able to authenticate a user without a database

Now you are using S3 as a database (datastore). As you found you need to store your data somewhere.

From your use case I assumed you want to validate a secret (password?) to authorize an action. If you want to go completely serverless without any database, you may want to use the lambda environment variables to store some secret ( e.g. salt, password hash,. .).

IMHO it may be still feasible to send a secret along the request to authorize an action (that's done with API key or basic auth) , but I won't advice putting it into url. It could be in payload, header, anything that is not directly cached or logged.

I do not know which libraries can do this

For symmetric encryption and hashing I use crypto-js, however this library doesn't support RSA or PBKDF.

I am not good at encryption subject, I have some understanding only so I'm not sure if this can work. And how can I make it on nodejs

Unfortunately cryptography is broad topic and it's easy to shoot yourself in the leg.

For each topic I'd advice to search the net, try it out and then create a new specific question when you have a problem

gusto2
  • 11,210
  • 2
  • 17
  • 36
0

If you want to authenticate the user without a database, have a look at AWS cognito service.

To authenticate from S3, you can store user data as a file in JSON or CSV and query S3 data using AWS Athena.

singh30
  • 1,335
  • 17
  • 22