secretlinks. You should only be able to access them when you're logged in. If manage to access this link while logged out, please contact me and tell me how.
For anyone who has some time and experience on their hands, it'd be awesome to get some help making this thing work. I don't expect anyone to help for free, so I'm sure we can work something out compensation wise. If you read this and are willing, ready and able to help out, please contact me.
As you should already know, I'm trying to create a mobile and web app. I chose AWS because... why not??
I've created this dummy radsig.com address to test out AWS services beforehand so that I don't do anything too stupid. I've stumbled myself this far, but it'd be great if any of you could review my architecture and provide insight or tips to improve it. Here's what I have so far:
The initial system will just be static content, with users registering and donating/paying to access that content. I'm using Cognito for accounts and identity management, and S3 for hosting the content. S3 only supports HTTP, which is a no-no for authentication, so I'm using Cloudfront to get HTTPS, and just used Certificate Manager to obtain SSL certificates. I also have Route 53 providing the DNS.
For donations/payments, I'm using Stripe and Lambda. I'm using these because I have long-term goals for tier services which Stripe should support well.
What you're seeing here is everything except payments. You
should be able to register, login, logout and use
the forgot password form. All files are stored in a single
S3 bucket, which has public permissions for everything
except the secret directory.
Once a user has authenticated, a Lambda function is invoked to
obtain signed cookies to access the secret
directory in the main radsig.com S3 bucket. The
Lambda function can only be invoked by users who have sufficient
permission, which is granted by logging in with Cognito.
I noticed that the secret/mine.html file is cached, so it can still be accessed after logging out. That's fine, since it assumes someone already logged in, right? Since I'm not saving sensitive customer data, no one should be upset, but I know there has to be a better way to get this working so that they can't access sensitive data after logging out. Any tips?
Also, I can't figure out how to get proper redirection for radsig.com to www.radsig.com. Since the signed cookies require a full base URL, and I can't seem to get multiple URLs working, users still get an Access Denied error when trying to access https://radsig.com/secret/mine.html, but https://www.radsig.com/secret/mine.html works. If anyone can help shed light on the proper combination of Route 53, CloudFront and S3 configuration, ideally using aws-cloudfront-sign in Lambda for signing cookies, please let me know.
With payments, the goal is to grant additional S3 permissions to paying customers. I think I should be able to do this through Lambda when payments are made through Stripe. Does this seem reasonable? Then paying customers will be able to access all the cool stuff.
So the overall architecture for the initial system is basically one massive S3 bucket, with content split between directories, and users gaining access to increasingly cool content by:
There's no way I have everything right, so please please please help me not make a massive blunder. Thanks for any and all help!!