Security


What to be aware of when using the included BFCC_Container( ) function

The standard deployment strategy for CloudContainer is to use the custom function provided in the sample file to generate links to use in web viewers on your layouts. This provides a quick and easy way to get working CloudContainer URLs into your web viewers without having to do any extra scripting or configuration.

When you do this, the API key is embedded in the web viewer URL, which grants the user access to view and store files at the URL provided. If a user captures that API key, such as when it is exposed to a browser in WebDirect, it is possible for them to change the CloudContainer URL and upload, edit, or delete files other than the one you are specifically granting them access to.

While this may be an acceptable level of security for many internal deployments being only used by a select group of people, there may be cases where you would want to lock down your container access a bit more. This is particularly problematic if you wanted to have a place to upload files on a public-facing WebDirect solution, for example. In a case like that you would want to sure the public users only have access to the specific URL you want them to use. Signed URLs are the solution to this security problem.

Increasing security using signed URLs

CloudContainer supports generating pre-signed, expiring URLs to use in your web viewers. These generated URLs cannot be changed by users without invalidating the link and also expire after a time limit that you specify. You can use signed URLs to safely grant a use access to a single CloudContainer and only for a limited amount of time.

The BFCC_GetSignedContainer custom function can be used to get the address to query to get a signed URL for a particular container. This function takes the document UUID and an expiration in seconds which is counted from the time the URL is generated.

In this example we call BFCC_GetSignedContainer in an Insert From URL script step. We pass in the document UUID which we want to generate the link for as well as the number of seconds we want the link to be valid for (600 seconds = 10 minutes). This insert from URL script step gets a signed URL from the CloudContainer server and stores it in the $response variable. The $response variable is parsed for the “signedContainerUrl” JSON element to get the actual URL to be used. The value is stored in the $signedUrl variable. We then use this variable in the next step to direct the web viewer to the secure, expiring URL.

If the user tries to upload or delete a file at this address after 10 minutes they will receive an error, even if the container has already loaded in the web viewer on the screen.

An example of using signed URLs can be found in the “Get and Show Signed URL” script in the CloudContainer demo file.

Retrieving Signed Container, Thumbnail, and Download URLs

Signed URLs are secure ways of allowing a user access to a specific file. They do not have access to your API token and cannot change the URL without invalidating the link. This makes sure that the link you share does not allow a user to access anything other than the link you sent to them. You can generate signed urls for CloudContainer containers, thumbnails, as well as direct-download links.

Containers

You can retrieve a signed container URL using the following endpoint. The signed container URLs will allow a user to upload, delete, and download files from the container resource you give them. This URL can be generated using the BFCC_GetSignedContainer custom function.

https://app.cloudcontainer.cc/api/container/{yourResourceUuid}/signed?seconds={numSeconds}&api\_token={yourApiToken}

Example Response

{
  "success": true,
  "signedContainerUrl": "https://app.cloudcontainer.cc/container/myresource?expires=1603392046&user=8&signature=e85e948d5e0345ce0b864b5e9a3525231ffc31e85e948d5e0345ce0b864b"
}

Here is an example of a FileMaker script using a signed URL in a web viewer to prevent the API key from being exposed:

Insert from URL [ Select ; With dialog: Off ; Target: $response ; BFCC_GetSignedContainer ( Document::uuid ; 6000 ) ; Verify SSL Certificates ] 
Set Variable [ $signedUrl ; Value: JSONGetElement($response; "signedContainerUrl") ] 
Set Web Viewer [ Object Name: "cloudcontainer wv" ; URL: $signedUrl ] 

Thumbnails

A signed thumbnail URL will let a user see only the thumbnail image that you send to them. They will not have access to upload, download, or delete files from the actual CloudContainer container. This URL can be generated using the BFCC_GetSignedThumbnail custom function

https://app.cloudcontainer.cc/api/thumbnail/{yourResourceUuid}/{maxWidth}x{maxHeight}/signed?seconds={numSeconds}&api\_token={yourApiToken}

This will return a JSON object with a “success” property. You can get the thumbnail url from the “signedThumbnailUrl” property.

Example Response:

{
  "success": true,
  "signedThumbnailUrl": "https://app.cloudcontainer.cc/thumbnail/myresource/500x500?expires=1603391684&user=8&signature=1f2a7917ad2a916226b0039033c7ad2a916226b0039033"
}

Direct Download

You can generate a secure, signed download URL to share the contents of a CloudContainer. The user will be able to download the original document stored in the CloudContainer container. This URL can be generated using the BFCC_GetSignedDownload custom function. The third parameter of this function sets the “inline” query parameter. Setting this parameter to true tells the browser to try to handle the file using the native browser functionality instead of saving the file to disk. This can be useful for displaying an original image file or using the native browser PDF functionality to view a full document without prompting the user to save the file..

https://app.cloudcontainer.cc/api/container/{yourResourceUuid}/signedDownload?api\_token={yourApiToken}&seconds={numSeconds}&inline={true/false}

Example Response

{
  "success": true,
  "signedDownloadUrl": "https://app.cloudcontainer.cc/download/myresource?expires=1603391933&user=8&signature=b8e08a8423eb0b6532a3176196e445ce9ab1b8423eb0b6532a31761"
}