make API for read/write to/from Airtable tables
Closed this issue · 11 comments
to protect the API key, we need to stuff the key off in an API exposed on one or the other serverless platform (Amazon Lambda, Google Functions, Azure Functions, ...). There should be an API for each of the tables that we have in Airtable, starting with the Find Help page.
The APIs need to sanitize input, perform business functions, and hide the API keys for Airtable.
Firebase costs $$. Small amounts of money, but our usage in AWS will easily be under the free tier for lambda. I'm going to try serverless framework and see how that works.
@maharris1011 firebase has a free tier just like aws called the spark plan. There are some limitations like you can't have a firebase function call out to non-google owned api's for free, but I don't see a reason we would need to do that.
Lambda is going to be a much higher learning curve for most people and won't solve our problems on it's own, but I am definitely available to help set that up. We would need to use a database like dynamodb with lambda and aws api gateway to serve as an endpoint to allow invocation of lambdas, and aws policies are tricky to learn.
@maharris1011 and from what I gathered is you are worried about an api key being exposed, which I agree is an issue, but introducing lambda will still require the front end to have some api key/authentication mechanism. What seems to be the right solution is just sticking with the normal air table api's and doing a read only user api key. https://community.airtable.com/t/read-only-api-key/45/2
the challenge is that we're going to have to write to the airtable from the 10tv promotions form. a read-only key won't do that, I don't think.
We will have to call out to 3rd-party api's: the Airtable APIs will count as non-google services, so Firebase will cost also.
also, @CoreySchnedl , someone pointed out (you, maybe?) that at least if we control the API key via an API on lambda or somewhere, we can control what they do with the API. The key we have gives a hacker basically the same permissions as my user account on Airtable does -- meaning they can not only create, but they could delete our airtables.
@maharris1011 Yeah sorry that was probably me. I was thinking that if we only needed to display stuff from the airtable, then there is a way to do read only access api keys. I didn't realize we were posting to it. However it seems like airtable doesnt have a way to have write access api keys that exclude access to just delete the airtable. Their api keys don't seem to be designed with static website form submission in mind. So yeah to hide the api key we could do something like aws api gateway + lambda, but the only concern there is that with a public api, some malicious user could just flood the public api gateway with bad data, but I think that's just a risk that someone will have to live with. Maybe whoever has the aws account, should set up an alert just to be safe if someone decides to go crazy...
I can set up a aws gateway and lambda to do the same post that @arpavlic03 if you think that is best. I would just hard code the api key into my lambda. Let me know if that would be helpful, or if you want to take a try at it, I can help with any questions you have. Most of the coding can be done in the aws gui console without having to go through the trouble of using serverless framework.
I wrote an API that takes form POST data & pumps it to the Airtable Promotions view, in Lambda with AWS Gateway.
Yes, big learning curve. Took me all damn day.
take a look at https://github.com/maharris1011/csc-airtable-aws
if you like, we can make that a thing.
@maharris1011 Looks great! Yes that’s what I meant about the big learning curve. Lol it’s a lot just to hide an api key.
So a couple things I recommend is first make that repo private, or at the very least leave public but just pass the api key outside of git (I can help with that if needed). But also api gateway default throttle limit is like 10000 a second or something ridiculous. I would change that to like 20 or something. Then also set a budget/alert on your account just in case (you can set it for .01$ to get an alert if you go outside of free tier), but again I highly doubt there would ever be an issue.
Great job though! It’s good to follow best practices for security even for static sites like this. Let me know if there’s anything I can help with. But looks like that function will do the trick.
Thanks man. Did I accidentally leave the API key in?
API key is no longer included. There are resources for just about every table, though i held off making anything destructive like a POST or DELETE request until we absolutely need it.
@CoreySchnedl take a look & let me know what you think.
This is done! Hooray!