I'm working with some cached Pre-Signed URLs for S3 downloads, pretty simple. We have many URLs for each asset and many assets for each request, then to avoid generating so many new Pre-Signed URLs per request we are saving the Pre-Signed URLs while the expiration is far from happening. It works fine most of time but from time to time we receive a 400 Bad Request with "Token expired" error message.
For what I learned:
S3 Pre-Signed URLs also carry accessKeyId which is the authentication of the signer.
The signer key also has its own expiration time.
The Pre-Signed URL can be rejected if the Signer key has expired even if the expiration of the URL itself is not reached.
So the question I have is: how can I check the expiration time of an accessKeyId since my Server can already refreshed its own key (and add to this the uncertainty of Server instances different or not keys) and I no longer have access to AWS.config.credentials.expirationTime?
Unfortunately, I think you're out of luck when looking at the URL itself. I'm sure it's embedded in the x_amz_security_token, but the format of that token is not published (although if you Base64-decode it you'll see some interesting bits of readable text and a lot of binary data).
Instead, I recommend that you ensure that the expiration date for the signed URL is the same as the expiration date of the session that signs it.
The way that you do that is to assume a role on the server, and use the credentials from that role assignment to create the signed URL.
This assumed role just needs to have s3:PutObject permission on the bucket where the upload will go. The assumed role session will have whatever duration you request, starting from the time that you assume the role (unlike your Lambda/EC2 instance/whatever, which only regenerates credentials they expire).
Related
Does the docusign base uri change for a specific user? Can I fetch it just once in my application and use it for all subsequent docusign API calls? Also can we use same access token for multiple API calls until it expires after an hour?
Base URIs may change when calling different accounts. All users on the same account will have the same base URI, but keep in mind that some users are members of multiple accounts.
In practice, yes, you can fetch the base URI once and use it for all subsequent API calls against the same account.
Yes, tokens generated through the JWT Grant workflow last for an hour and should be reused whenever possible. As a best practice, consider requesting a token at around 50 minutes into the hour so that you have a brief window of overlap to ensure a smooth transition.
The URL returned by the embedded signing url API method EnvelopeViews:createRecipient only lasts 5 minutes.
How can I get an embedded signing URL that will last longer?
The embedded signing URL time to live is only 5 minutes.
So the answer is to give your signers a customized url to your application. Then, when your signer clicks it, your application first obtains an embedded signing URL from DocuSign and then responds to the signer with a redirect to the URL.
Creating the customized URL
Create a database table in your application with columns:
ID
url_lookup_guid
account_id
envelope_id
signer_email
signer_name
signer_clientUserId
envelope_expiration_date (optional, see below)
When you want to create a unique URL for an embedded signer:
generate a guid. It will be used as the url_lookup_guid value
Create a record in the database table.
The url will be something like myapp.mycompany.com/sign/[url_lookup_guid value]
Creating the embedded signing ceremony
The user opens (GET call) the url you gave them. Eg myapp.mycompany.com/sign/1234567-1234-1234-123456789
Pull out the guid valid from the URL
Look up the record in your database
Use the other values in the record to make a call to EnvelopeViews:createRecipient
Receive the embedded signing URL response to the API call
Redirect the signer to the URL
Remove the database record or mark it as used.
Clearing old database entries
As noted above, you can delete database rows once they're used.
To clear out entries that were never used, a batch process can check the database each day for obsolete entries where the envelope has expired.
Either record the expiration date, or auto-create an insertion date
in the database. Then, once your account's default expiration time has been exceeded, make an API call to DocuSign to check that the envelope has indeed expired. (Its expiration date may have been extended.)
Notes
The URLs that you create can last as long as you wish, or until the envelope expires within DocuSign, whichever comes sooner.
The URL will enable the person to sign the envelope, so you'd probably want to include additional signer authentication from DocuSign to ensure that the signer is who they say they are.
Don't use the database's ID as the lookup key since you want to ensure that someone can't guess the ID of a record. Use a random guid as the look up key.
Your app will need an access token to make the API call to DocuSign. Since this is an autonomous task, use the OAuth JWT grant flow.
Don't create a new access token per invocation, cache the current access token.
Since it can take a couple of seconds to create the redirect URL (or more time if you need to obtain a new access token too), you might want to first return an intermediate page that shows a please stand by message and makes an Ajax call to your app to obtain the URL for the redirect.
As I understand it, Instagram may expire our access tokens after an arbitrary period of time, in which case 'API responses will contain an “error_type=OAuthAccessTokenError”'.
Is the only way around this to get users to log in again?
I'm building an Instagram service which helps brands manage their following, and every day at a set time we request for their pictures and comments to run data analysis on engagement rates. Does that mean that we might arbitrarily lose access at any time and not be able to restart our service to our clients till they log in to authenticate again manually?
Any help with renewing Access Tokens would be appreciated!
You should verify if the initial grant included a refresh token in the authentication response. If not you may need to reauthenticate after expiration I think.
How to increase following limit per hour on Instagram? is there any other ways to increase following peoples more than its limit.
Can we increase by using multiple application?
If you ask your users to log into their Instagram account, and authorize your app, then you can make 5000 requests per hour per user:
http://instagram.com/developer/limits/
If you just use your key, you are limited to 5000 requests per hour, no matter how many users you have.
But I'm worried, what if this token expires?
AFAIK, Instagram accesstokens don't expire currently.
Note: From Instagram documents.
Note that we do not include an expiry time. Our access_tokens have no explicit expiry, though your app should handle the case that either the user revokes access or we expire the token after some period of time. In this case, your response’s meta will contain an “error_type=OAuthAccessTokenError”. In other words: do do not assume your access_token is valid forever.
Should I authorize the app each time the token expires?
At the moment, you do not need to do that, as token does not expire. As and when the token expires in future, a corresponding warning or error code and message will be sent to you, which you need to handle.
what can I do to have my app always pulling data from account without
my participation?
You can try following:
Use sharedpreference to store the accesstoken.
First time when you try to fetch data that needs accesstoken(Authenticated requests), first check in the sharedpreference whether the accesstoken is stored or not.
if yes then you don't need to login, just use that accesstoken. If you don't have the accesstoken in preference then do the login using instagram credentials, get the accesstoken and then share it in shared preference and use that for subsequent requests.
You can provide instagram logout option in which you just need to clear the accesstoken from sharedprefernce.
Hope this is helpful to you.
Is there a way to obtain the view document URL sent to the recipient?
I can enumerate the envelope status pulling back a multitude of URIs.
None which seem to match the URL and parameters.
If by document URL you mean the signing URL (ie. the URL token a recipient can use to sign an envelope) then no I don't believe this is possible.
URL tokens have lots of security built into them - when you generate a token it's only valid for 5 minutes and it is a one-time use, meaning if that URL is used or expired then you need to generate a new URL for that given recipient.
To help keep them even more secure if one is generated the actual link will not be saved and or returned anywhere to help prevent an attacker getting hold of it and using it before the true/intended recipient.
So as mentioned, once generated and sent there is no way to query the DocuSign system and ask for that actual URL that you've previously created. If you want to remember each URL you generate you'll have to do that through your app logic - but take note that they will only be valid for 5 mins and a one-time usage.