AWS S3, Cloudfront, and Lambda@Edge

Effectively an extension of the backend service Blobby, the 'Files Proxy' consists of a Cloudfront distribution along with two Node.js Lambda functions that are triggered by and run inside of Cloudfront, which collectively front the private 'user content' S3 bucket.

The File Proxy allows clients to request a file by its S3 path and provide a matching JWT as a URL parameter, generated by Blobby, and otherwise blocks all use of the Cloudfront distribution. The first Lambda@Edge function, file-proxy-viewer, is triggered on every viewer-request to Cloudfront and simply validates the JWT signature against the S3 path requested and checks the exp. As long as the JWT is valid, this Lambda returns the request to Cloudfront for further processing.

The second Lambda@Edge function, file-proxy-origin is triggered only on origin-request, meaning that only if a request cannot be served by the cache. This function simply returns the request to Cloudfront if it is 1) not for an image according to the file name, or 2) does not have either width, height, or format parameters. If it does have those parameters, the Sharp library is used to provide an image in the format requested and return with max (one year) cache TTL. Therefore, next time this same path + params, minus the signature, is requested, Cloudfront will run the first function but due to the cache hit, will skip this second image optimization function.

The Cloudfront distribution runs at files.pivotusercontent.com.