How to setup Filestack security uploading images?

Question

I have been trying to setup a basic security for Filestack image uploading.

From its documentation https://www.filestack.com/docs/security/create-policy, I need to generate Hash Message Authentication Code, and I am not sure what to do next, and there is not a good example there.

With api key used in client side, any one can use it to upload images to my FileStack storage or Amazon S3. How to setup Filestack security uploading images from my domain?

Answer 1

In order to use security with Filestack, you need to first obtain your secret key from the Filestack developer portal. Do not expose this key as it should not be public like your API key.

When you need to perform a Filestack action, a policy should be generated in a function that is not exposed to the user.

For example, if I needed to read a secured Filestack link,

https://www.filestackapi.com/api/file/KW9EJhYtS6y48Whm2S6D

I need to append a valid policy and signature to it.

Here is a bit of Python code that will generate a policy and signature for the file with handle = KW9EJhYtS6y48Whm2S6D

# Python Example
import hmac
import hashlib
import time
import base64
# import json

json_policy = '{"handle":"KW9EJhYtS6y48Whm2S6D","expiry":1508141504}'
policy = base64.urlsafe_b64encode(json_policy)
print policy
print

secret = 'Z3IYZSH2UJA7VN3QYFVSVCF7PI'
print hmac.new(secret, policy, hashlib.sha256).hexdigest()

The output will be a policy and signature you can use to access the file:

https://www.filestackapi.com/api/file/KW9EJhYtS6y48Whm2S6D?signature=4098f262b9dba23e4766ce127353aaf4f37fde0fd726d164d944e031fd862c18&policy=eyJoYW5kbGUiOiJLVzlFSmhZdFM2eTQ4V2htMlM2RCIsImV4cGlyeSI6MTUwODE0MTUwNH0=

Answer 2

You need to generate the signature in a secure place, like a backend, a lambda function, or something similar.

If you're working with Node, here is an example of how to create and use the policy and signature.

const crypto = require('crypto'); // built-in Node module
let policyObj = {
        expiry: Date.now() + 36000;
        call: ['read', 'convert'],
    }
let policyString = JSON.stringify(policyObj);
let policy = Buffer.from(policyString).toString('base64');
let signature = crypto.createHmac('sha256', YOUR_SECRET_HERE).update(policy).digest('hex');

You could wrap this in a function with more validations to use it in different places in your codebase. Or you could use a package like filestack-policy

The final URL should be in this format:

https://cdn.filestackcontent.com/bfTNCigRLq0QMOrsFKzb?policy=<POLICY>&signature=<SIGNATURE>

or this format if you use Filestack storage aliases:

https://cdn.filestackcontent.com/APIKEY/security=p:<policy>,signature:<signature>/src://STORAGE-ALIAS/PATH-TO-YOUR-FILE