I am trying to create a protected API endpoint in my Serverless REST API service using AWS API Gateway & AWS Lambda.
My client javascript app needs to send the valid API key to access this endpoint. How to store this on the client side?
Similar questions on 'protecting API keys on the client side', recommend to create a wrapper API on the middleware server that actually makes the protected API call with the valid API key, which apparently beats the purpose of going serverless using lambdas.
Appreciate some clear explanation on the concept.
This is a major problem with server-less applications. I have once used a middle-ware server with CSRF implementation which hits the main API with API key. However, that completely kills the concept of server-less.
The only way to hide the API keys is by not sending them in the request from browser, and for that you need an extra middleware server.
Its better to use sessions then relying on API keys. In some cases using keys can't be eliminated.
rowan
AWS and JS
This is what the AWS Cognito service was designed to address. It allows clients (i.e. mobile devices) to exchange login details for short-lived AWS tokens (via the STS service) so that they can access AWS resources directly.
You can use this with the IAM Authorizer to force your users to have valid credentials, or you could use it with the Cognito User Pool Authorizer directly.
Note that Cognito has the idea of a default user, so that even unauthenticated users (i.e. pre-login) can access certain resources.