How to store data in S3 and allow user access in a secure way with rails API / iOS client?

Question

I am writing an API for an iOS app where the user's login with the Facebook API on iOS. The server validates the user against the token Facebook issues to the iOS user and issues a temporary Session Token. From this point, the user needs to download content that is stored in S3. This content only belongs to the user and a subset of his friends. This user can add more content to S3 which can be accessed by the same bunch of people. I guess it is similar to attaching a file to a Facebook group...

There are 2 ways a user can interact with S3... leave it to the server or get the server to issue a temporary S3 token (not sure of the possibilities here) and the user can hit upon the content URLs directly to S3.

So the questions:

• Is there a way to limit a user to access only some content on S3 when a temporary token is issued? How can I do this? Assume there's... say 100,000 or more users.
• Is it a good idea to let the iOS device pull this content out directly?
• Or should let the server control all content passing (this solves the security of course)? Does this mean I have to download all content to the server before handing it down to the connected users?
• If you know rails... can I use paperclip and aws-sdk gems to achieve this kinda setup?

 

Answer 1

You can get temporary signed URL for any S3 object by calling url_for by using the aws-sdk gem:

s3 = AWS::S3.new(

  :access_key_id => 1234,

  :secret_access_key => abcd

)

object = s3.buckets['bucket'].objects['path/to/object']

object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s

This only provides a temporary URL for only that in S3. It will expire after 20 minutes, and you can use it only for that particular object.

For more information on these APIs check out this:

API docs from Amazon: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth