5.15.4

Upload Without a Server

Summary

Enabling file uploads for your web application is easier than ever with Fine Uploader S3's client-side request signing support. With this feature, you don't need to worry about server-side languages. In fact, you only need a server to host your HTML and JavaScript files. You can even delegate this task to an Amazon S3 bucket, such as in the official Fine Uploader S3 no-server example.

API

A credentials option has been created for Fine Uploader S3 to support this workflow. It allows you to pass temporary credentials (secret & public AWS keys) to Fine Uploader S3 during initialization. An expiration date for the credentials must also be provided. Additionally, if you are using temporary credentials from the AWS Security Token Service, you will also need to provide a sessionToken. If you would like to use version 4 signatures, instead the default version 2, be sure to set the signature.version option to 4.

When your credentials expire, your credentialsExpired event handler will be invoked. You must then return a promise and fulfill it by passing the new credentials via the success method on the promise. The validity of credentials is checked internally by Fine Uploader S3 just before a request is sent to S3. If the credentials have expired, the request will be held up until your event handler specifies a new set of credentials or fails its attempt to do so.

An API method, setCredentials, also exists if you would like to update initial credentials after Fine Uploader S3 has been initialized. You can also utilize this method to tell Fine Uploader S3 about temporary credentials for the first time at some point after the uploader instance has been created.

Best Practices

In light of the fact that this workflow requires you expose an AWS secret key client-side (making it easy for malicious users to gain access to your secret key), there are some precautionary measure you should take:

  • Do not hard-code your credentials client-side. Your credentials should be temporary, with a reasonable expiration date.
  • Communication between your page and the entity that provides temporary credentials should be secured in some fashion (i.e. SSL).
  • Communication between your Fine Uploader S3 instance and your S3 bucket should be secured via SSL.
  • Consider use of an established identity provider along with AWS STS to obtain temporary credentials. An example of this can be seen in the official Fine Uploader S3 no-server upload example.