alxfyv Posted February 19, 2021 Share Posted February 19, 2021 (edited) Site URL: https://familyhistoryconferencenwa.org The Current Situation My Squarespace website uses client-side, custom JavaScript and JQuery injected into the Head section of a page as well as the Amazon Web Services Command Line Interface SDK. The custom JS, the JQuery and JS Libraries, and the SDK are loaded into the page Head each time the page is loaded. That Is Objectionable The SDK uses two predetermined, static, handshake credentials to connect to the AWS server. They are stored in a file, "credentials," in a hidden directory, .aws, created by the SDK when it first loads. At that point, however, they have no values. I've been setting them in client-side/browser-side source code. The Situation Exposes Supposedly Secret AWS Login Credentials To A Potential Hack I have been setting their values programmatically when the page loads by executing a CLI "updateConfig" command in the custom JS. The credential values are thus in a plain-text config file client-side. As such, they are not so secret. Any site visitor who loads the page in his browser could use the browser's developer tools to view the source code and, potentially, discover the supposedly secret credentials thus compromising the security of the AWS account. One Ought Not Put The Secret Credentials In Client-side JS AWS wants me not to put the credentials in client-side source code. I think the preferred method is to instantiate the SDK on the server-side and set the credentials one time only. Thereafter, the hidden .aws directory and the credentials file persist server-side at the root level of the website's Home Directory. The Problem So the problem is how to load the SDK in the server-side Home Directory where it will persist over the site's lifetime. The Question Two questions are 1) On a Squarespace website, can one load the SDK server-side at the root level on the site's Home Directory. Can it be done in Developer Mode? How? 2) Is my understanding incorrect? Is there a way to do everything client-side/browser-side and yet maintain the secrecy of the security codes? Edited February 21, 2021 by alxfyv add a second question; rephrase the body of the post I'm a retired attorney who was asked by a friend to build a website. In a prior lifetime, in a galaxy far, far away and long, long ago, I was a computer systems analyst / programmer. I'm a novice autodidact in CSS, JavaScript and HTML learning in part by example.. I've asked questions on this forum and been lucky enough to have others help me, so I'm inclined to answer any question I can. Pay it forward. Link to comment
Solution alxfyv Posted February 21, 2021 Author Solution Share Posted February 21, 2021 I posted this question on StackOverflow and received the following answer from Brandon. You can't add server-side code. Server-side code is handled by a server, not by a browser, and includes: PHP Ruby Ruby on Rails SQL That would also include server-side JavaScript/Node. Because Squarespace only supports the front-end addition of HTML, CSS and Javascript within Code Injection, Code Blocks, and Developer Mode, you need to use front-end JavaScript in order to utilize third-party APIs (which is what you're doing currently). Enabling Developer Mode only exposes template files for the site. Beyond the JSON-T templating engine, Developer Mode doesn't enable any sort of server-side logic or requests to take place. Therefore, it seems the answer to your question is no. A potential alternative solution may be to use Google Apps Script or Google Cloud Functions instead, storing the credentials in the code there, and making a front-end request (via JavaScript on your website) to that endpoint in order to perform the handshake and get back the data you need. I'm a retired attorney who was asked by a friend to build a website. In a prior lifetime, in a galaxy far, far away and long, long ago, I was a computer systems analyst / programmer. I'm a novice autodidact in CSS, JavaScript and HTML learning in part by example.. I've asked questions on this forum and been lucky enough to have others help me, so I'm inclined to answer any question I can. Pay it forward. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment