Properly enabling security for filepicker.io in Meteor

Question

Filepicker by default allows pretty much everybody to add files to your S3 bucket who was clever enough to copy your API key out of the client code and luckily also offers a security option with expiring policies.

But I have no idea how to implement this in Meteor.js. Tried back and forth, installing meteor-crypto-base package, trying to generate the hashes on the server, tried RGBboy's urlsafe-base64 algorithm on https://github.com/RGBboy/urlsafe-base64. But I just do not get any further. Maybe someone can help! Thank you in advance.

Answer 1

This is an example of how to do filepicker signed URLs in meteor, based on the documentation here:

var crypto = Npm.require('crypto');
var FILEPICKER_KEY = 'Z3IYZSH2UJA7VN3QYFVSVCF7PI';
var BASE_URL = 'https://www.filepicker.io/api/file';

Meteor.methods({
  signedUrl: function(handle) {
    var expiry = Math.floor(new Date().getTime() / 1000 + 60 * 60);

    var policy = new Buffer(JSON.stringify({
      handle: handle,
      expiry: expiry
    })).toString('base64');

    var signature = crypto
      .createHmac('sha256', FILEPICKER_KEY)
      .update(policy)
      .digest('hex');

    return BASE_URL + "/" + handle +
      "?signature=" + signature + "&policy=" + policy;
  }
});

Note this will need to exist somewhere inside of your server directory so you don't ship the key to the client. To demonstrate that it works, on the client side you can call it like so:

Meteor.call('signedUrl', 'KW9EJhYtS6y48Whm2S6D', function(err, url){console.log(url)});

If everything worked, you should see a photo when you visit the returned URL.