I developed a website using django. Recently I am trying to make it serverless ( by deploying to lambda ). I haven't figured out how to maintain the session after user logged in when deployed to lambda.any suggestions please.
As you probably know, lambdas are stateless. You can use some database i.e. Dynamo DB to store and retrieve session related information, i.e. connection token. Otherwise you can integrate with AWS Cognito service which handles authentication and session information for you.
Most session capabilities inherent to Django will work fine with a zappa deployed Django project as long as the appropriate infrastructure is available. For example if you choose database-backed session, then your Django deployment must have access to a database. But you must avoid File-based sessions since you cannot guarantee the file will exist for any given user request (the lambda container to which requests are routed are not deterministic).
For more information on Django sessions see the documentation
Related
This is my first stack overflow question. I have an in-house written OAuth backend serving for my application. I have migrated all the users from my backend to Cognito using the user migration Lambda trigger. The problem is that they are a few other services that are already linked and are using the existing backend to authenticate and needed to be to migrate to Cognito without forcing them to log out and log in. is there a way? If yes, let me know. Thanks
I have been doing some research about using some AWS service as OAUTH2 for our application running in 3 docker containers (backend, frontend, database). Backend has an API which is not open to public obviously and accessible only within docker network. We are looking for extending our app with a chat service, which we want to implement as a service, so we build our app following microservices architecture, since we will add other services later on. So when user logs into our app, his session will be also "shared" with chat service.
Our chat service will be using sockets and since sockets require direct connection to user resources, we can not just implement an integration layer which will supply all resources required by chat service, but we have to either:
implement sockets within our application API (which we dont want to do, we want it as microservice),
open API endpoints for chat service to use, but this option requires OAUTH2 and thats what we try to deal with.
I am not sure if there is some other way to handle this and be also ready for a long run, but if this works, which AWS service would fit the best for us to use, which would play OAUTH2 role for handling security in this matter?
I also checked this post but it didn't help me much in my case. I'm open to any suggestions, I've checked AWS lambda, AWS cognito, AWS amplify, pretty confusing, many features, we don't want to overload the architecture with features we don't need.
What exactly is the thing you want? User accounts managed by AWS? Use cognito.
Users logging in with Apple, Facebook, Etc? Use cognito again.
Just have some backend code that once a user logs in, create a token or session so they can chat with that.
There are many youtube videos on AWS cognito but a lot of them suck. The best one is written in React but before they came out with hooks. Here is part one. https://www.youtube.com/watch?v=EaDMG4amEfk
My use case is fairly simple: I want to deploy a frontend to production that uses an Amplify backend, without exposing sensitive config like the API key.
I have a frontend that uses Github Actions for CI and CD and deploys to Zeit Now (since it's a Next.js project and needs SSR support, which Amplify currently does not provide). At the moment it does not have a backend connected so it deploys to production without any issues.
In the same project I've set up AWS Amplify for the backend and connected it to the frontend. It all works sucessfully as expected from a local environment.
Now I want to deploy the frontend to production, however the AWS config for connecting it to the backend, it's saved in an autogenerated file named aws-exports.js which contains amongst other things the GraphQL end point and its API key. This file has been added to the .gitignore by the Amplify CLI.
If I remove the aws-exports.js files from the .gitignore and commit it to the repository, I think it would probably work once deployed to production, however I assume this is not a good idea since I would be exposing sensitive config data.
I don't want to use AWS to deploy my frontend, which is what's suggested as solution in the documentation I've read about this. Is there any recommended way to do this keeping the frontend and backend environments separated? (meaning the frontend still being deployed to Zeit Now which will use the backend deployed in AWS).
As far as I understand the AWS AppSync security concept designates the auth model API_KEY to usage in either public applications or development environments.
Unauthenticated APIs require more strict throttling than authenticated APIs. One way to control throttling for unauthenticated GraphQL endpoints is through the use of API keys.
An API key is a hard-coded value in your application that is generated by the AWS AppSync service when you create an unauthenticated GraphQL endpoint.
I do not think that there is any benefit in trying to hide an API key. If authentication is required, it must be provided by other means than a hard-coded secret which is always extractable from public apps (such as web frontends).
There are more auth models described in the docs. [1]
If you are planning to develop an app with private endpoints and a public frontend/client, you should definitely use another auth model - most likely OPENID_CONNECT or AMAZON_COGNITO_USER_POOLS.
I think you should first read the AWS blog post titled GraphQL API Security with AWS AppSync and Amplify [2] and afterwards stating your question more precisely if any lack of clarity should remain.
References
[1] https://docs.aws.amazon.com/appsync/latest/devguide/security.html#api-key-authorization
[2] https://aws.amazon.com/de/blogs/mobile/graphql-security-appsync-amplify/
I already have a heavy user table in an existed website and server doesn't host in AWS.
I wanna use AWS Cognito for a mobile app of this site. So, need to check my server first when login/sign in.
But many blogs and examples look like only for serverless service.
I saw Accessing Server-side Resources after Sign-in. But this access server after getting token.
I saw Adding a User Pool Lambda Trigger. But not sure this can fit with my case.
I know I need to test these things first.
But just I wanna get some advice in here first.
So, Please give me advice.
Thanks.
you can do one thing, you can use cognito in application using aws-sdk which will do signin/singup
add trigger of cognito add save data to dynamo DB table or you can send data your database also.
another case if like you can add trigger, it will check for in both cognito and login your table to having user info and then allow the sign in.
OR
You can import your user data to cognito.
We have an enterprise web application implemented based on Spring-Security for authentication/authorization. This application is currently deployed on-premises on client side and usually we connect it to existing AD/LDAP systems.
Now we'd like to setup this web application within Amazon AWS for demo purposes. Therefore we need a kind of an user access frontend, where users can register and as soon as an admin approved this, the user should have access to the webapp ui. In addition a simple analytics layer is needed, to see some information about the user access.
It is important to have this "frontend" (could be a simple website based on a CMS like WordPress) just to explain the demo, to have the user registration functionality and the analytics layer. We explicitly don't want to include this in the existing web application, so it must be decoupled from each other.
What could be the right approach to setup such an environment? I just need the right direction to dig into the topics.
After a first research, we see that Amazon Cognito could be the right backend service for user data management. But we don't see "an easy way" to enable a simple frontend as described above (e.g. I didn't find a wordpress plugin to connect wordpress user data management with Apache Cognito). Also on the backend side I haven't find useful information how to integrate Apache Cognito with Spring Security.
If you are looking for a simple frontend we launched a new feature which gives you basic signup/login pages for your user pool.