Restrict access to S3 and serve images through API #38
Comments
|
You don't need to return the image as a JSON object (you could though). An image file can just be represented in a normal HTTP response body with the according content type such as image image/jpeg which could be used in a standard I might have said something incorrect at our meeting today. The base64 encoding might not be necessary in the image/jpeg case (it would be in the application/json case). |
|
I think JSON response would be the way to go so that it's in keeping with what's expected from GraphQL endpoints. I don't know if JSON responses are actually a requirement of the GraphQL spec, but I've never seen any non-JSON examples and all of our other GraphQL query "resolvers" return JSON ("resolver" kind of = "view" in GraphQL parlance). |
|
I guess you are right it seems GraphQL will be still able to just serve an image to the frontend but the GraphQL API needs a base encoded body. Similar to a Lambda response serving an Image. |
Right now the images themselves are unprotected: if someone knew an ID they'd be able to request it.
To fix, create a resolver that checks authentication and then reads in the images data from the S3 bucket, encodes it in base 64, and returns it to the front end in a JSON object.
The text was updated successfully, but these errors were encountered: