This microservice decrypts provided content after authentication by access token.
In a serverless architecture there's no server to password protect content.
Using this microservice you can add the encrypted content to the HTML output without anyone being able to read it.
A small Javascript-enhanced form allows you to accept the password from a user, and use this microservice to decrypt it.
The service can be used in an architecture as described below.
This process uses the following data:
- The unencrypted content
- The
password
that should grant access to the content - A secret
salt
, only known by the site generator and the decryptor
It then generates the page frontend, containing:
- The encrypted content
- The
hashed password
: thepassword
hashed with the secretsalt
- Has the encrypted content in the source
- Has the
hashed password
It enables a user to fill in their password
, which should grant access to the encrypted content. After user input, it sends to the decryptor:
- The encrypted content
- The
hashed password
(using a salt kept secret from the user) - The unencrypted
password
from the user
The decryptor doesn't know anything about the content, except for how to decrypt it. After authentication, the decrypted content is returned to the client.
The decryptor knows the secret salt
, but not the correct password.
Authentication happens if the user-sent hashed password
matches hash (
user-sent password + salt )
Install dependencies:
$ composer install
$ yarn install
Create a .env
file, based on .env.example
.
Decryption will take place when this input is provided:
password
(Provided by the user)password_hashed
(Predetermined and salted)content
(The encrypted content)
Use the Defuse library to encrypt content:
$key = Key::createNewRandomKey();
$encrypted = Crypto::encrypt($content, $key);
Save the key and share with this microservice:
$key->saveToAsciiSafeString(); // <-- save this output in your .env
If the ascii key is added to the .env
file of this microservice, it will be able to decrypt the content.
Create a hashed password using password_hash
, and make sure to include the salt:
$salt = 'salty_dog';
$passwordPlain = 'bunnywabbit';
$passwordHashed = password_hash($passwordPlain . $salt, PASSWORD_BCRYPT);
If the salt is added to the .env
file of this microservice, it will be able to verify the user-provided password.
Run a local server using
$ php -S localhost:8000 -t public
You can use stages to deploy to development
, staging
and production
(default: development
).
The easiest local deployment uses an AWS profile defined using the AWS cli tool.
- You have the AWS cli tool installed.
- You have configured a profile for this service.
- You have created
.env.staging
and.env.production
files, based on.env.example
.
$ npx serverless deploy --stage staging --aws-profile my-profile
$ npx serverless deploy --stage production --aws-profile my-profile
Serverless will print the HTTP endpoints to the screen.
Built on Lumen, deployed using Serverless framework.