Cloud API with JavaScript (Amazon, Azure)

Question

I'm researching a possibility of using some cloud storage directly from client-side JavaScript. However, I ran into two problems:

1. Security - the architecture is usually build on per cloud client basis, so there is one API key (for example). This is problematic, since I need a security per my user. I can't give the same API key to all my users.

2. Cross-domain AJAX. There are HTTP headers that browsers can use to be able to do cross domain requests, but this means that I would have to be able to set them on the cloud-side. But, the only thing I need for this to work is to be able to add a custom HTTP response header: Access-Control-Allow-Origin: otherdomain.com.

My scenario involves a lots of simple queue messages from JS client and I thought I would use cloud to get rid of this traffic from my main hosting provider. Windows Azure has this Queue Service part, which seems quite near to what I need, except that I don't know if these problems can be solved.

Any thoughts? It seems to me that JavaScript clients for cloud services are unavoidable scenarios in the near future.

So, is there some cloud storage with REST API that offers management of clients' authentication and does not give the API key to them?

Answer 1

Windows Azure Blob Storage has the notion of a Shared Access Signature (SAS) which could be issued on the server-side and is essentially a special URL that a client could write to without having direct access to the storage account API key. This is the only mechanism in Windows Azure Storage that allows writing data without access to the storage account key.

A SAS can be expired (e.g., give user 10 minutes to use the SAS URL for an upload) and can be set up to allow for canceling access even after issue. Further, a SAS can be useful for time-limited read access (e.g., give user 1 day to watch this video).

If your JavaScript client is also running in a browser, you may indeed have cross-domain issues. I have two thoughts - neither tested! One thought is JSONP-style approach (though this will be limited to HTTP GET calls). The other (more promising) thought is to host the .js files in blob storage along with your data files so they are on same domain (hopefully making your web browser happy).

The "real" solution might be Cross-Origin Resource Sharing (CORS) support, but that is not available in Windows Azure Blob Storage, and still emerging (along with other HTML 5 goodness) in browsers.

Answer 2

Yes you can do this but you wouldn't want your azure key available on the client side for the javascript to be able to access the queue directly.

I would have the javascript talking to a web service which could check access rights for the user and allow/disallow the posting of a message to the queue.

So the javascript would only ever talk to the web services and leave the web services to handle talking to the queues.

Its a little too big a subject to post sample code but hopefully this is enough to get you started.