This service provides authenticated access to a static website hosted in an s3 bucket.

website-openid-proxy

This service provides OpenID authenticated access to a static website hosted in an s3 bucket.

It is designed to be a simple way to add authentication to static websites stored in AWS S3.

This service uses AWS API Gateway HTTP APIs and is powered by AWS Lambda.

How it works

ArchitectureDiagram

  1. Each request to the site checks for a session cookie prior to returning a response. If a user accesses the site for the first time users they are redirected to the OpenID provider.
  2. User authenticates with the OpenID provider and is redirected back to the website as per the OAuth 2.0 Authorization Code Grant Type.
  3. After authentication occurs the users info is retrieved, this includes sub and email, both of these are saved to the users session and logged when accessing content. PKCE is used to add an extra layer of verification for this exchange.
  4. Uses the API Gateway version 2 format which includes support for cookies, this is translated to normal HTTP requests using apex/gateway.
  5. GET requests are translated into GetObject requests which retrieve objects from the S3 bucket using wolfeidau/echo-s3-middleware. All these requests pass through the service.
  6. The secret used to sign session cookies is stored in AWS Secrets Manager.

Cookies

This service uses two cookies to manage state, these are both signed using gorilla/securecookie with a secret generated by AWS Secrets Manager. Both cookies are also marked as secure and httpOnly in line with best practices.

For reference these cookies are:

  • proxy_auth_session is used to store the oauth2 state variable during authentication and has an expiry of 5 minutes.
  • proxy_login_session is used to check your logged in during the life of your session, this has an expiry of 8 hours.

Goals

  1. Provide a simple authentication access to static websites hosted in s3.
  2. Utilise AWS lambda and API Gateway to enable low cost hosting.
  3. Take advantage of the rate limiting provided by AWS API Gateway to ensure access isn't possible using brute force attacks.
  4. Use existing opensource libraries to provide secure access via cookies.
  5. Support OpenID authentication of users accessing the site.

Deployment

You will need the following tools.

Also an aws profile setup with your aws credentials.

Create an OpenID application in a service such as Okta.

Create an .envrc file using direnv.

#!/bin/bash

export AWS_PROFILE=wolfeidau
export AWS_DEFAULT_PROFILE=wolfeidau
export AWS_REGION=ap-southeast-2

# these are provided by your OpenID provider 
export CLIENT_ID=xxxxxxxxx
export CLIENT_SECRET=xxxxxxxxx
export ISSUER=https://dev-xxxxxx.okta.com

export HOSTED_ZONE_ID=XXXXXXXXXX

# results in $SUBDOMAIN_NAME.$HOSTED_ZONE_NAME or something.wolfe.id.au
export HOSTED_ZONE_NAME=wolfe.id.au
export SUBDOMAIN_NAME=something

Run make.

make

TODO

License

This application is released under Apache 2.0 license and is copyright Mark Wolfe.

Similar Resources

Authenticated encrypted API tokens (IETF XChaCha20-Poly1305 AEAD) for Golang

branca.go is branca token specification implementation for Golang 1.15+.

Dec 26, 2022

Self-hosted video-hosting website and video archival manager for Niconico, Bilibili, and Youtube

Self-hosted video-hosting website and video archival manager for Niconico, Bilibili, and Youtube

Self-hosted video-hosting website and video archival manager for Niconico, Bilibili, and Youtube

Jan 1, 2023

This is my personal website, hosted on GitHub Pages

astrophena.name This is my personal website, hosted on GitHub Pages. Serving locally You need the latest Go and Node.js installed.

Nov 16, 2022

Opinionated boilerplate Golang HTTP server with CORS, OPA, Prometheus, rate-limiter for API and static website.

Opinionated boilerplate Golang HTTP server with CORS, OPA, Prometheus, rate-limiter for API and static website.

Teal.Finance/Server Opinionated boilerplate HTTP server with CORS, OPA, Prometheus, rate-limiter… for API and static website. Origin This library was

Nov 3, 2022

A local server with real-time reload function designed for static website preview or development

中文 | English 📝 介绍 reserver 是一款为静态网站预览或开发设计的具有实时重新加载功能的本地服务器。 其主要运用场景为: 单页应用的预览(例如Vue编译之后的项目不可以直接通过file://协议进行访问) 具有ajax请求的页面(因浏览器安全限制,默认禁止file://协议进行

Aug 23, 2022

Opinionated boilerplate Golang HTTP server with CORS, OPA, Prometheus, rate-limiter for API and static website.

Opinionated boilerplate Golang HTTP server with CORS, OPA, Prometheus, rate-limiter for API and static website.

Teal.Finance/Garcon Opinionated boilerplate HTTP server with CORS, OPA, Prometheus, rate-limiter… for API and static website. Origin This library was

Nov 3, 2022

Vela plugin designed for generating a static documentation website with Hugo.

Vela plugin designed for generating a static documentation website with Hugo.

Jul 22, 2022

The full power of the Go Compiler directly in your browser, including a virtual file system implementation. Deployable as a static website.

The full power of the Go Compiler directly in your browser, including a virtual file system implementation. Deployable as a static website.

Static Go Playground Features Full Go Compiler running on the browser. Supports using custom build tags. Incremental builds (build cache). Supports mu

Jun 16, 2022

Access my website from the terminal with SSH!

Access my website from the terminal with SSH!

daniel.is-a.dev (ssh version) What is this? I built a SSH server written in Golang that lets you basically view my website all from the terminal. You

Nov 11, 2022

rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.

rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org     account access, and private resources.

rpCheckup - Catch AWS resource policy backdoors like Endgame rpCheckup is an AWS resource policy security checkup tool that identifies public, externa

Dec 26, 2022

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API

Heimdall Heimdall is inspired by Ory's OAthkeeper, tries however to resolve the functional limitations of that product by also building on a more mode

Jan 6, 2023

Efficient token-bucket-based rate limiter package.

ratelimit -- import "github.com/juju/ratelimit" The ratelimit package provides an efficient token bucket implementation. See http://en.wikipedia.org/w

Dec 29, 2022

A Golang blocking leaky-bucket rate limit implementation

Go rate limiter This package provides a Golang implementation of the leaky-bucket rate limit algorithm. This implementation refills the bucket based o

Jan 2, 2023

An idiomatic Go implementation of Leaky bucket.

lbucket lbucket is an idiomatic Go leaky bucket implementation. The library make use of plain old Go stdlib; in other words, there are no third-party

Apr 17, 2022

Bucket-ssh. A fuzzy ssh manager for managing and categorizing ssh connections.

Bucket-ssh. A fuzzy ssh manager for managing and categorizing ssh connections.

Bssh is an ssh bucket for categorizing and automating ssh connections. Also, with parallel command execution and connection checks(pings) over categories (namespaces).

Oct 25, 2022

concurrent map implementation using bucket list like a skip list.

Skip List Map in Golang Skip List Map is an ordered and concurrent map. this Map is goroutine safety for reading/updating/deleting, no-require locking

Oct 8, 2022

Empty an S3 bucket as fast as possible 💨

s3-destroyer Iteratively calls ListObjects, add objects keys to a buffer and calls DeleteObject in goroutines. Usage -access-key string s3 a

Dec 13, 2021

Go REST API - Bucket list - built with go-chi, Docker, and PostgreSQL

Go REST API - Bucket list - built with go-chi, Docker, and PostgreSQL Requirements Docker and Go golang-migrate/migrate Usage Clone the repository wit

Dec 14, 2021

Notify messages from gcs bucket objects to slack

Notify to Slack Notify message to slack from gcs storage file. Deploy $ gcloud functions deploy notify_to_slack \ --entry-point NotifyToSlack \

Oct 5, 2021
Comments
  • feat(security): secure all cookies with signing

    feat(security): secure all cookies with signing

    • removed a heap of duplicate cookie handling code in favour of an existing library
    • reduced a bit of sprawl that happens when I get super keen
    • tightend up cleanup and expiry of cookies
  • chore(deps): bump github.com/labstack/echo/v4 from 4.1.17 to 4.9.0

    chore(deps): bump github.com/labstack/echo/v4 from 4.1.17 to 4.9.0

    Bumps github.com/labstack/echo/v4 from 4.1.17 to 4.9.0.

    Release notes

    Sourced from github.com/labstack/echo/v4's releases.

    v4.9.0

    Security

    • Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #2260

    Enhancements

    • Allow configuring ErrorHandler in CSRF middleware #2257
    • Replace HTTP method constants in tests with stdlib constants #2247

    v4.8.0

    Most notable things

    You can now add any arbitrary HTTP method type as a route #2237

    e.Add("COPY", "/*", func(c echo.Context) error 
      return c.String(http.StatusOK, "OK COPY")
    })
    

    You can add custom 404 handler for specific paths #2217

    e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })
    

    g := e.Group("/images") g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

    Enhancements

    • Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #2127
    • Refactor: body_limit middleware unit test #2145
    • Refactor: Timeout mw: rework how test waits for timeout. #2187
    • BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #2191
    • Refactor: duplicated findStaticChild process at findChildWithLabel #2176
    • Allow different param names in different methods with same path scheme #2209
    • Add support for registering handlers for different 404 routes #2217
    • Middlewares should use errors.As() instead of type assertion on HTTPError #2227
    • Allow arbitrary HTTP method types to be added as routes #2237

    v4.7.2

    Fixes

    • Fix nil pointer exception when calling Start again after address binding error #2131
    • Fix CSRF middleware not being able to extract token from multipart/form-data form #2136
    • Fix Timeout middleware write race #2126

    Enhancements

    ... (truncated)

    Changelog

    Sourced from github.com/labstack/echo/v4's changelog.

    v4.9.0 - 2022-09-04

    Security

    • Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #2260

    Enhancements

    • Allow configuring ErrorHandler in CSRF middleware #2257
    • Replace HTTP method constants in tests with stdlib constants #2247

    v4.8.0 - 2022-08-10

    Most notable things

    You can now add any arbitrary HTTP method type as a route #2237

    e.Add("COPY", "/*", func(c echo.Context) error 
      return c.String(http.StatusOK, "OK COPY")
    })
    

    You can add custom 404 handler for specific paths #2217

    e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })
    

    g := e.Group("/images") g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

    Enhancements

    • Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #2127
    • Refactor: body_limit middleware unit test #2145
    • Refactor: Timeout mw: rework how test waits for timeout. #2187
    • BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #2191
    • Refactor: duplicated findStaticChild process at findChildWithLabel #2176
    • Allow different param names in different methods with same path scheme #2209
    • Add support for registering handlers for different 404 routes #2217
    • Middlewares should use errors.As() instead of type assertion on HTTPError #2227
    • Allow arbitrary HTTP method types to be added as routes #2237

    v4.7.2 - 2022-03-16

    Fixes

    • Fix nil pointer exception when calling Start again after address binding error #2131
    • Fix CSRF middleware not being able to extract token from multipart/form-data form #2136
    • Fix Timeout middleware write race #2126

    ... (truncated)

    Commits
    • 16d3b65 Changelog for 4.9.0
    • 0ac4d74 Fix #2259 open redirect vulnerability in echo.StaticDirectoryHandler (used by...
    • d77e8c0 Added ErrorHandler and ErrorHandlerWithContext in CSRF middleware (#2257)
    • 534bbb8 replace POST constance with stdlib constance
    • fb57d96 replace GET constance with stdlib constance
    • d48197d Changelog for 4.8.0
    • cba12a5 Allow arbitrary HTTP method types to be added as routes
    • a327884 add:README.md-Third-party middlewares-github.com/go-woo/protoc-gen-echo
    • 61422dd Update CI-flow (Go 1.19 +deps)
    • a9879ff Middlewares should use errors.As() instead of type assertion on HTTPError
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

Stash is a locally hosted web-based app written in Go which organizes and serves your porn.

Stash is a locally hosted web-based app written in Go which organizes and serves your porn.

Jan 2, 2023
Resize upladed images to s3 bucket with given sizes, and uploades new images back to bucket

Features Resize upladed images to s3 bucket with given sizes, and uploades new images back to bucket Environment Variables IMAGE_SIZES - formax 200x20

Feb 2, 2022
Convert JPEG images from S3 bucket to BMP, GIF, PNG into another bucket
Convert JPEG images from S3 bucket to BMP, GIF, PNG into another bucket

aws-lambda Convert JPEG images from S3 bucket to BMP, GIF, PNG into another bucket Setup two buckets jpeg-images for source jpeg images converted-jpeg

Feb 13, 2022
Put a web archive (WARC) on an S3 bucket suitable for hosting with S3 Website Hosting.

warc-to-s3 This is a small Go application that consumes a WARC file ( using slyzrc/warc) and puts it on S3 suitable for serving with S3 Website Hostin

Jan 6, 2022
serve a static website as a .onion hidden service

hidden service server A CLI that will host a static website as a .onion hidden service. Comes with an additional binary that can be used to generate v

Sep 4, 2022
GoatCounter is an open source web analytics platform available as a hosted service or self-hosted app

GoatCounter is an open source web analytics platform available as a hosted service (free for non-commercial use) or self-hosted app. It aims to offer easy to use and meaningful privacy-friendly web analytics as an alternative to Google Analytics or Matomo.

Dec 29, 2022
Ratelimit - This package provides a Golang implementation of the leaky-bucket rate limit algorithm

Go rate limiter This package provides a Golang implementation of the leaky-bucke

Jul 26, 2022
:key: Secure alternative to JWT. Authenticated Encrypted API Tokens for Go.

branca branca is a secure alternative to JWT, This implementation is written in pure Go (no cgo dependencies) and implements the branca token specific

Dec 29, 2022
Package gorilla/securecookie encodes and decodes authenticated and optionally encrypted cookie values for Go web applications.

securecookie securecookie encodes and decodes authenticated and optionally encrypted cookie values. Secure cookies can't be forged, because their valu

Dec 26, 2022
Authenticated and encrypted API tokens using modern crypto

Branca Token Authenticated and encrypted API tokens using modern crypto. What? Branca is a secure, easy to use token format which makes it hard to sho

Dec 25, 2022