In Squarespace Developer Mode, can one save the AWS CLI SDK to the website's server-side “Home” directory? If so, how?

[alxfyv]

Site URL: https://familyhistoryconferencenwa.org

The Current Situation

My Squarespace website uses client-side, custom JavaScript and JQuery injected into the Head section of a page as well as the Amazon Web Services Command Line Interface SDK. The custom JS, the JQuery and JS Libraries, and the SDK are loaded into the page Head each time the page is loaded.

That Is Objectionable

The SDK uses two predetermined, static, handshake credentials to connect to the AWS server. They are stored in a file, "credentials," in a hidden directory, .aws, created by the SDK when it first loads. At that point, however, they have no values. I've been setting them in client-side/browser-side source code.

The Situation Exposes Supposedly Secret AWS Login Credentials To A Potential Hack

I have been setting their values programmatically when the page loads by executing a CLI "updateConfig" command in the custom JS. The credential values are thus in a plain-text config file client-side.

As such, they are not so secret. Any site visitor who loads the page in his browser could use the browser's developer tools to view the source code and, potentially, discover the supposedly secret credentials thus compromising the security of the AWS account.

One Ought Not Put The Secret Credentials In Client-side JS

AWS wants me not to put the credentials in client-side source code. I think the preferred method is to instantiate the SDK on the server-side and set the credentials one time only. Thereafter, the hidden .aws directory and the credentials file persist server-side at the root level of the website's Home Directory.

The Problem

So the problem is how to load the SDK in the server-side Home Directory where it will persist over the site's lifetime.

The Question

Two questions are

1) On a Squarespace website, can one load the SDK server-side at the root level on the site's Home Directory. Can it be done in Developer Mode? How?

2) Is my understanding incorrect? Is there a way to do everything client-side/browser-side and yet maintain the secrecy of the security codes?

[alxfyv]

I posted this question on StackOverflow and received the following answer from Brandon.

You can't add server-side code. Server-side code is handled by a server, not by a browser, and includes: PHP Ruby Ruby on Rails SQL

That would also include server-side JavaScript/Node. Because Squarespace only supports the front-end addition of HTML, CSS and Javascript within Code Injection, Code Blocks, and Developer Mode, you need to use front-end JavaScript in order to utilize third-party APIs (which is what you're doing currently).

Enabling Developer Mode only exposes template files for the site. Beyond the JSON-T templating engine, Developer Mode doesn't enable any sort of server-side logic or requests to take place. Therefore, it seems the answer to your question is no.

A potential alternative solution may be to use Google Apps Script or Google Cloud Functions instead, storing the credentials in the code there, and making a front-end request (via JavaScript on your website) to that endpoint in order to perform the handshake and get back the data you need.