-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed URLs for tiles endpoint and ipyleaflet tile viewer #603
Conversation
@banesullivan and I discussed this offline, and we decided to change this approach to utilize presigned URLs, as including the entire auth token in the URL presents big security vulnerabilities. We came across this package, which seems to implement exactly what we're looking for. If nothing else it's a good starting point. |
To mitigate these concerns, I added a new At present, I only enable this functionality for the tiles endpoint and I think it should remain an opt-in feature. That way if someone gets ahold of a signature with malicious intent, they cannot use it to access any POST endpoints. @mcovalt, would you please review? |
809efa9
to
dd445ae
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good!
signer = UserSigner() | ||
signature = signer.sign(user=self.request.user) | ||
param = getattr(settings, 'RGD_SIGNED_URL_QUERY_PARAM', 'signature') | ||
return response.Response({param: signature}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it'd be good to include an expires_at
param here, indicating the unix timestamp this signature expires as. I'll open an issue so it can be addressed separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes enable support for embedding the authentication token as a query parameter. This is for use cases where we want to "pre-sign" a URL for handing off to 3rd party software. Specifically, this is for the use case of generating a pre-signed tile URL for an image so that we can visualize it interactively with
ipyleafelt
.@mvandenburgh and @AlmightyYakob, would you please review the changes to the authentication and python client?
Here is an example with a new helper method in the
rgd_imagery_client
: