aws-serverless-auth-reference-app 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
aws-serverless-auth-reference-app 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
aws-serverless-auth-reference-app 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 View license
开发语言 JavaScript
操作系统 跨平台
软件类型 开源软件
所属分类 云计算Serverless 系统
开源组织
地区 不详
投 递 者 首席测试
适用人群 未知
收录时间 2021-12-02

软件简介

SpaceFinder - Serverless Auth Reference App

SpaceFinder is a reference mobile app that allows users to book conference rooms, work desks, and other shared resources. The app showcases serverless authentication and authorization using the AWS platform.

The mobile front-end is built using the Ionic 3 framework and client libraries to call AWS services and mobile backend APIs. The backend APIs themselves are powered by AWS services. The backend APIs are built using a serverless architecture, which makes it easy to deploy updates, and it also means that there are no servers to operationally manage.

SpaceFinder is primarily developed and maintained by Jim Tran and Justin Pirtle, Solutions Architects at Amazon Web Services. The project code is released under the Apache 2.0 license. Please feel free to make use of the code in this project, and spread the word. We hope you enjoy it, and we certainly welcome all feedback, pull requests and other contributions!

Video presentation

A live demo of the SpaceFinder app was presented at AWS re:Invent 2017, the annual AWS cloud computing conference. The presentation provides useful context on the authentication and authorization flows that the app demonstrates. The YouTube recording of the session (53 minutes) is available here:

Quickstart and Developer Guide

  1. The Quickstart guide walks through setting up a demo environment (5 minutes) with a tutorial of key app flows (30 minutes). This lab is self-contained and cleans up after itself by un-deploying all auto-generated AWS resources.

  2. For developers who want to dig deeper, we've also prepared a Developer Guide. The Developer Guide provides instructions on setting up the project pre-requisites manually in your developer environment.

Architecture diagram

Spacefinder Mobile App architecture

AWS services used

SpaceFinder is built using the following AWS services:

  • AWS Cognito - Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. With Amazon Cognito, you also have the options to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system. Furthermore, AWS Cognito supports User Groups that let to create collections of users to manage their permissions or to represent different types of users.
  • AWS Lambda - AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration.
  • Amazon DynamoDB - Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models.
  • Amazon API Gateway - Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. You can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any Web application. Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.
  • AWS CloudFormation - AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.

Backend API

Spacefinder uses a Serverless API built using Amazon API Gateway, Lambda, DynamoDB, and CloudFormation. The API has the following REST methods, and some methods can only be called by users with "Admin" privileges.

Spacefinder API

Mobile app

The mobile app is a hybrid mobile app, and is built on the Ionic 3 framework, which relies on Angular 4 and TypeScript 2. The hybrid mobile app can run on Android devices and iOS devices, as well as a modern web browser.

Spacefinder Mobile app

User flows

The app currently demonstrates the following user flows:

  • Identity Management
    • Register as a new user
    • Confirm registration code
    • Sign in (as a user who has already confirmed a registration code)
    • Sign in (as a user who has not yet confirmed a registration code)
    • Re-send registration code
    • Forgot password
    • Change password
    • Sign-out
  • SpaceFinder Application Features
    • View list of locations
    • Add a new location (Admin-only feature)
    • Delete a location (Admin-only feature)
    • View list of resources at a location
    • Add a new resource (Admin-only feature)
    • Delete a resource (Admin-only feature)
    • View resource availability
    • Book a new booking
    • Cancel own booking
    • Cancel another user's booking (Admin-only feature)
    • Upload a profile image to Amazon S3
    • Toggle display of admin-only features

Using the app

Sample users and data

Sample users and location/resource data are created as part of the bootstrapping process, to make it easy for you to try out the user flows. Use the following users to login to the application. You may additionally create your own personal accounts.

  • Standard user

    • Username: user1
    • Password: Test123!
    • Can browse resources, make bookings, and upload profile picture
  • Admin user

    • Username: admin1
    • Password: Test123!
    • Can additionally create and delete locations and resources

Console logging

Enable the browser developer console (or remote debugging for Android) to view all of the log messages.

The log messages will show you all tokens retrieved as part of the sign-in process, as well as all API calls made and the corresponding authorization for each call.

展开阅读全文

代码

评论

点击引领话题📣
暂无内容
发表了博客
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
发表了问答
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
lodash输入验证错误漏洞
原型污染
lodash是一款开源的JavaScript实用程序库。 lodash 4.17.15及之前版本中存在输入验证错误漏洞。远程攻击者可借助'merge'、'mergeWith'和'defaultsDeep'函数利用该漏洞在系统上执行任意代码。
CVE-2020-8203 MPS-2020-15679
2022-08-08 18:53
ws 存在拒绝服务漏洞
拒绝服务
ws 是一个用于 node.js 的简单易用的 websocket 客户端、服务器和控制台。此软件包的受影响版本容易受到拒绝服务 (DoS) 攻击。
MPS-2022-13147
2022-08-08 18:53
uglify-js 存在ReDoS漏洞
ReDoS
uglify-js 是一个 JavaScript 解析器、压缩器、压缩器和美化工具包。此软件包的受影响版本容易通过 string_template 和 decode_template 函数受到正则表达式拒绝服务 (ReDoS) 的攻击。
MPS-2022-14112
2022-08-08 18:53
Joyent Node.js moment模块拒绝服务漏洞
拒绝服务
Joyent Node.js是美国Joyent公司的一套建立在Google V8 JavaScript引擎之上的网络应用平台。moment是其中的一个JavaScript日期处理类库。 Joyent Node.js moment模块中存在安全漏洞。攻击者可借助特制的数据字符串利用该漏洞造成拒绝服务。
CVE-2017-18214 MPS-2018-2699
2022-08-08 18:53
clean-css 存在拒绝服务漏洞
clean-css 是适用于 Node.js 平台和任何现代浏览器的快速高效的 CSS 优化器。此软件包的受影响版本容易受到正则表达式拒绝服务 (ReDoS) 的攻击。
MPS-2022-12865
2022-08-08 18:53
ws 存在使用不充分的随机数漏洞
使用不充分的随机数
ws 是一个用于 node.js 的简单易用的 websocket 客户端、服务器和控制台。受影响的软件包版本使用加密不安全的 Math.random(),它可以产生可预测的值,不应在安全敏感的上下文中使用。
MPS-2022-15363
2022-08-08 18:53
Moment.js 正则拒绝服务漏洞
拒绝服务
Moment.js 是一个 JavaScript 日期库。用于解析、验证、操作和格式化日期。 Moment.js 在处理嵌套 rfc2822 注释内容时正则表达式执行时间不断的指数增大,导致服务不可用。 攻击者可利用该漏洞使目标服务停止响应甚至崩溃。
CVE-2022-31129 MPS-2022-11159
2022-08-08 18:53
node-sass 存在拒绝服务漏洞
拒绝服务
node-sass 是 libsass 的 Node.js 绑定包。此软件包的受影响版本容易受到拒绝服务 (DoS) 的攻击。
MPS-2022-13927
2022-08-08 18:53
js-yaml 存在拒绝服务漏洞
拒绝服务
js-yaml 是一种人性化的数据序列化语言。此软件包的受影响版本容易受到拒绝服务 (DoS) 的攻击。
MPS-2022-13820
2022-08-08 18:53
mime模块拒绝服务漏洞
拒绝服务
mime module是一个MIME类型模块。 mime模块中存在安全漏洞。攻击者可借助不可信的用户输入利用该漏洞造成拒绝服务。
CVE-2017-16138 MPS-2018-7211
2022-08-08 18:53
lodash 资源管理错误漏洞
不加限制或调节的资源分配
lodash是一款开源的JavaScript实用程序库。 lodash 4.7.11之前版本中的Date handler存在资源管理错误漏洞。该漏洞源于网络系统或产品对系统资源(如内存、磁盘空间、文件等)的管理不当。
CVE-2019-1010266 MPS-2019-8123
2022-08-08 18:53
npm bl 缓冲区错误漏洞
跨界内存读
npm bl 4.x系列中4.0.3之前版本,3.x系列中3.0.1之前版本,2.x系列中2.2.1之前版本存在安全漏洞,攻击者可以通过恶意输入导致越界读。
CVE-2020-8244 MPS-2020-12199
2022-08-08 18:53
Yargs Y18n 输入验证错误漏洞
动态确定对象属性修改的控制不恰当
Yargs Y18n是Yargs个人开发者的一个类似I18n的由Js编写的代码库。 y18n before 3.2.2, 4.0.1 and 5.0.5版本存在输入验证错误漏洞,该漏洞源于网络系统或产品未对输入的数据进行正确的验证。
CVE-2020-7774 MPS-2020-17543
2022-08-08 18:53
node-tar 路径遍历漏洞
路径遍历
node-tar是一款用于文件压缩/解压缩的软件包。 npm node-tar 存在路径遍历漏洞,该漏洞源于4.4.18、5.0.10和6.1.9之前的npm包“tar”(又名node-tar)存在任意文件创建覆盖和任意代码执行漏洞。攻击者可利用该漏洞访问受限目录之外的位置。
CVE-2021-37713 MPS-2021-28489
2022-08-08 18:53
Async 安全漏洞
原型污染
Async是英国Caolan McMahon个人开发者的一个实用模块。用于使用异步 JavaScript。 Async 3.2.1 及之前版本存在安全漏洞,该漏洞源于 mapValues() 方法。攻击者可通过 mapValues() 方法获取权限。
CVE-2021-43138 MPS-2021-34434
2022-08-08 18:53
Growl命令执行漏洞
命令注入
Growl是一套支持Node.js的通知系统。 Growl 1.10.2之前版本中存在安全漏洞,该漏洞源于在将输入传递到shell命令之前,程序未能正确的对其进行过滤。攻击者可利用该漏洞执行任意命令。
CVE-2017-16042 MPS-2018-7026
2022-08-08 18:53
@angular/core 存在跨站脚本漏洞
XSS
@angular/core 是一个包,可让您编写客户端 Web 应用程序,就好像您拥有更智能的浏览器一样。它还允许您使用 HTML 作为模板语言,并允许您扩展 HTML 的语法以清晰简洁地表达应用程序的组件。此软件包的受影响版本在启用 SSR 的情况下容易受到开发中的跨站点脚本 (XSS) 的攻击。
MPS-2022-13545
2022-08-08 18:53
Eran Hammer cryptiles 安全漏洞
信息熵不充分
Eran Hammer cryptiles是一款通用加密工具。 Eran Hammer cryptiles 4.1.1之前版本中的randomDigits()方法存在安全漏洞。攻击者可利用该漏洞暴力破解随机数。
CVE-2018-1000620 MPS-2018-9401
2022-08-08 18:53
plist.js 安全漏洞
原型污染
plist.js是一个用于 Node.js 和浏览器的 Mac OS X Plist 解析器/构建器。 plist.js v3.0.4之前版本存在安全漏洞,攻击者可利用该漏洞导致拒绝服务(DoS),并可能执行远程代码。
CVE-2022-22912 MPS-2022-1027
2022-08-08 18:53
lodash 存在拒绝服务漏洞
拒绝服务
lodash 是一个现代 JavaScript 实用程序库,提供模块化、性能和附加功能。由于对 CVE-2020-8203 的修复不完整,此软件包的受影响版本容易受到 zipObjectDeep 中的原型污染。
MPS-2022-13841
2022-08-08 18:53
没有更多内容
加载失败,请刷新页面
点击加载更多
加载中
下一页
0 评论
0 收藏
分享
OSCHINA
登录后可查看更多优质内容
返回顶部
顶部