How to store data in S3 and allow user access in a secure way with rails API / iOS client?

ruby-on-rails api amazon-s3 amazon-ec2 client-server
dineth picture dineth · May 30, 2012 · Viewed 69.8k times · Source

I am new to writing Rails and APIs. I need some help with S3 storage solution. Here's my problem.

I am writing an API for an iOS app where the users login with the Facebook API on iOS. The server validates the user against the token Facebook issues to the iOS user and issues a temporary Session token. From this point the user needs to download content that is stored in S3. This content only belongs to the user and a subset of his friends. This user can add more content to S3 which can be accessed by the same bunch of people. I guess it is similar to attaching a file to a Facebook group...

There are 2 ways a user can interact with S3... leave it to the server or get the server to issue a temporary S3 token (not sure of the possibilities here) and the user can hit up on the content URLs directly to S3. I found this question talking about the approaches, however, it is really dated (2 yrs ago): Architectural and design question about uploading photos from iPhone app and S3

So the questions:

  • Is there a way to limit a user to access only some content on S3 when a temporary token is issued? How can I do this? Assume there's... say 100,000 or more users.
  • Is it a good idea to let the iOS device pull this content out directly?
  • Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?
  • If you know rails... can I use paperclip and aws-sdk gems to achieve this kinda setup?

Apologies for multiple questions and I appreciate any insight into the problem. Thanks :)

Answer

ejdyksen picture ejdyksen · Jun 5, 2012

Using the aws-sdk gem, you can get a temporary signed url for any S3 object by calling url_for:

s3 = AWS::S3.new(
  :access_key_id => 1234,
  :secret_access_key => abcd
)
object = s3.buckets['bucket'].objects['path/to/object']
object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s

This will give you a signed, temporary use URL for only that object in S3. It expires after 20 minutes (in this example), and it's only good for that one object.

If you have lots of objects the client needs, you'll need to issue lots of signed URLs.

Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?

Note that this doesn't mean the server needs to download each object, it only needs to authenticate and authorize specific clients to access specific objects in S3.

API docs from Amazon: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

Related questions

POST JSON to API using Rails and HTTParty

I would like for a user within my ruby on rails app to be able to submit a ticket to my external ticket management system, squishlist.com. They have an api and instructions as follows. You need to authenticate and …

Read More
Using Rspec, how do I test the JSON format of my controller in Rails 3.0.11?

I've scoured the web, but, alas, I just can't seem to get Rspec to correctly send content-type so I can test my JSON API. I'm using the RABL gem for templates, Rails 3.0.11, and Ruby 1.9.2-p180. My curl output, which works …

Read More
Reading header data in Ruby on Rails

I am making an API where in the access token for Facebook login will be sent in through header data. How do I read this data from the header?

Read More