Home
Support Forums

Signed proxy redirects

I am trying to use a signed proxy redirect to only allow my netlify function to be called by netilfy.

I updated my netlify.toml file like below and added an env variable to the build called “API_SIGNATURE_TOKEN”, but when I check the request cookies (just logging all cookies atm) in the function I don’t see the jwt to validate with.

site: nervous-lewin-928377

Just reading through docs again. Maybe this isn’t the best way to accomplish what I want. I was trying to add some sort of guard against someone just repeatedly calling the endpoint outside of the app. But since the app isn’t gated at the moment I guess that’s not really possible after thinking about it a bit more.

First off, these are JWS’s not JWT’s! You aren’t authenticating - just authorizing. The way you’d use that data to gate is:

  • check incoming request for a jws
  • decode jws using your secret
  • only proceed with “doing the thing on your server” if the jws decodes correctly.

not as automagic as you were hoping, but simpler than JWT handling, I think since you get all you need in the initial request and it’s then possible for your server to make a call “proceed, or don’t” based just on the info in that request.

Hi @fool

I’m in a similar situation as @okeydoke. I am trying to limit my netlify functions to my own netlify site.

Will you kindly clarify …

  1. Can signed proxy redirects be used for this purpose? Your post suggests it is possible but another post says it is not. I tested this and had the same result—I created an endpoint with requestbin.com and set my to destination in my netlify.toml file to that endpoint.
[[redirects]]
  from = "/api/*"
  to = "https://external-api.com"
  status = 200
  force = true
  signed = "API_SIGNATURE_TOKEN"

Then I hit my /api/ with Postman and checked the logs on Request Bin and the requests contained the correct x-nf-sign header, even though the traffic came from Postman not Netlify. So it seems signed proxy redirects do not actually ensure our Netlify functions are called by Netlify.

Have I missed something? I’m a new dev so there is a very good chance I have. :grinning:

hey there, just letting you know we haven’t forgotten about this thread and are hoping to get you some more info soon.

1 Like

Hi @vcamp,

Yes, this way (or probably any other too) you won’t be able to secure the endpoints, at least not the Netlify Functions.

Even if you you setup a redirect rule from /api/* to your Netlify Function, your actual endpoint (/.netlify/functions/foo/) is still vulnerable and could be hit by bypassing the redirect altogether. This way, even RBAC can’t save you. They would be able to protect your /api/* routing, but not the actual endpoint. However, with RBAC you’ve a chance. You could setup a different redirect rule for each function and use RBAC on that. So no one would be actually able to guess the endpoint’s URL and since they can’t know, the only way for them would be to pass through the RBAC checks.

I have a solution that might be useful (I use it currently). You could use Netlify Identity and create a random user with a random email and password. Then, you could pass that user using the Authorisation header to your functions. Inside the functions, you could verify if that Auth token is valid valid user of your website and authorise the function accordingly. To further increase the security, I delete the user inside the function so that no one can exploit the Auth token. It’s not fool-proof (I can explain why if needed), but does add a robust security mechanism.

If this sounds like a workable solution, I can provide you with an example of how I do it. It’s not super practical probably, but gets the job done.

A note though: If by protecting the endpoint you mean that you don’t wish for the functions invocations to be consumed, that won’t be possible. Even if you have any kind of checks inside the function to authorise or deny access, that would be counted as an invocation.

@vcamp not sure if this helps but I ended up just using netlify identity + sign-in page to somewhat limit/protect the various netlify functions. More detail here Netlify identity and go functions. I’m sure it’s a little dated at this point, but that was what I did at the time.