How to Build a Secure AWS Lambda API with Node.js and React

How to Build a Secure AWS Lambda API with Node.js and React

Build a secure serverless API using AWS Lambda functions, Node.js, and React.

jtgasper3

I appreciate the effort that went into this article, but I feel like I’m missing something, “How are the AWS Lambda functions secured?” As far as I can tell, they aren’t. The app in the article goes through the trouble of authenticating the user to the React.js app, but I don’t see how it passes any verifiable information to the Lambda API when POSTing a new high score. Okta’s usage isn’t so much about anything secure (with AWS), but providing some verifiable claims to the React app.

If I’m following this correctly, the back half of the app is less than secure. It’s like having a traditional website that is using HTTPS/TLS, but then emails the plain text credit card information to the merchant processing.

What am I missing?

Brett Lemoine

That’s a great point. Authorizing users through the front end and leaving the back end wide open is only half a solution.

David Neal

You are right. The example should have included using the access token to authorize the AWS Lambda function. I will ask the author to revise the post.

This post covers sending the access token from the front-end to a AWS Lambda and validating the token. The example uses Netlify Functions, but Netlify Functions are AWS Lambdas under the hood. I hope this helps fill in the gap.

/cc @diogenesthecynic

jtgasper3

Thanks David, I’ll take a look at the post you referenced in the morning.