const APPSYNC_HOST = "host.appsync-api.us-east-1.amazonaws.com";
const APPSYNC_REALTIME_HOST =
"host.appsync-realtime-api.us-east-1.amazonaws.com";
const APPSYNC_API_KEY = "da2-key";
function encodeAppSyncCredentials() {
const creds = {
host: APPSYNC_HOST,
"x-api-key": APPSYNC_API_KEY,
};
const b64Creds = window.btoa(JSON.stringify(creds));
return b64Creds;
}
function getWebsocketUrl() {
const header = encodeAppSyncCredentials(APPSYNC_HOST, APPSYNC_API_KEY);
const payload = window.btoa(JSON.stringify({}));
const url = `wss://${APPSYNC_REALTIME_HOST}/graphql?header=${header}&payload=${payload}`;
return url;
}
function startSubscription(websocket) {
const subscribeMessage = {
id: window.crypto.randomUUID(),
type: "start",
payload: {
data: JSON.stringify({
query: `subscription NotificationSubscription {
onCreateNotification {
content
id
time
}
}`,
}),
extensions: {
authorization: {
"x-api-key": APPSYNC_API_KEY,
host: APPSYNC_HOST,
},
},
},
};
websocket.send(JSON.stringify(subscribeMessage));
}
const url = getWebsocketUrl();
const websocket = new WebSocket(url, ["graphql-ws"]);
websocket.addEventListener("open", () => {
websocket.send(
JSON.stringify({
type: "connection_init",
})
);
});
websocket.addEventListener("message", (event) => {
message = JSON.parse(event.data);
switch (message.type) {
case "connection_ack":
startSubscription(websocket);
break;
case "start_ack":
console.log("start_ack");
break;
case "error":
console.error(message);
break;
case "data":
console.log( message.payload.data.onCreateNotification );
break;
}
});
使用以下代码我可以成功订阅 graphql 端点并获取实时数据。我担心的是,我很快就会将其部署到生产环境中,但这里 API 密钥已公开,没有 API 密钥身份验证将无法工作...我该如何保护它?使用身份验证的替代选项应该是什么?
您可以使用 AWS Secrets Manager,这是专门为此用例设计的服务。
AWS Secrets Manager 可帮助您在整个生命周期中管理、检索和轮换数据库凭证、应用程序凭证、OAuth 令牌、API 密钥和其他机密。许多 AWS 服务在 Secrets Manager 中存储和使用密钥。