How do I add simple licensing to api when using AWS Cloudfront to cache queries

Question

I have an application deployed on AWS Elastic Beanstalk, I added some simple licensing to stop abuse of the api, the user has to pass a licensekey as a field

i.e

search.myapi.com/?license=4ca53b04&query=fred

If this is not valid then the request is rejected.

However until the monthly updates the above query will always return the same data, therefore I now point search.myapi.com to an AWS CloudFront distribution, then only if query is not cached does it go to actual server as

direct.myapi.com/?license=4ca53b04&query=fred

However the problem is that if two users make the same query they wont be deemed the same by Cloudfront because the license parameter is different. So the Cloudfront caching is only working at a per user level which is of no use.

What I want to do is have CloudFront ignore the license parameters for caching but not the other parameters. I dont mind too much if that means user could access CloudFront with invalid license as long as they cant make successful query to server (since CloudFront calls are cheap but server calls are expensive, both in terms of cpu and monetary cost)

Perhaps what I need is something in front of CloudFront that does the license check and then strips out the license parameter but I don't know what that would be ?

Answer 1

Two possible come to mind.

The first solution feels like a hack, but would prevent unlicensed users from successfully fetching uncached query responses. If the response is cached, it would leak out, but at no cost in terms of origin server resources.

If the content is not sensitive, and you're only trying to avoid petty theft/annoyance, this might be viable.

For query parameters, CloudFront allows you to forward all, cache on whitelist.

So, whitelist query (and any other necessary fields) but not license.

Results for a given query:

• valid license, cache miss: request goes to origin, origin returns response, response stored in cache
• valid license, cache hit: response served from cache
• invalid license, cache hit: response served from cache
• invalid license, cache miss: response goes to origin, origin returns error, error stored in cache.

Oops. The last condition is problematic, because authorized users will receive the cached error if the make the same query.

But we can fix this, as long as the origin returns an HTTP error for an invalid request, such as 403 Forbidden.

As I explained in Amazon CloudFront Latency, CloudFront caches responses with HTTP errors using different timers (not min/default/max-ttl), with a default of t minutes. This value can be set to 0 (or other values) for each of several individual HTTP status codes, like 403. So, for the error code your origin returns, set the Error Caching Minimum TTL to 0 seconds.

At this point, the problematic condition of caching error responses and playing them back to authorized clients has been solved.

The second option seems like a better idea, overall, but would require more sophistication and probably cost slightly more.

CloudFront has a feature that connects it with AWS Lambda, called Lambda@Edge. This allows you to analyze and manipulate requests and responses using simple Javascript scripts that are run at specific trigger points in the CloudFront signal flow.

• Viewer Request runs for each request, before the cache is checked. It can allow the request to continue into CloudFront, or it can stop processing and generate a reaponse directly back to the viewer. Generated responses here are not stored in the cache.
• Origin Request runs after the cache is checked, only for cache misses, before the request goes to the origin. If this trigger generates a response, the response is stored in the cache and the origin is not contacted.
• Origin Response runs after the origin response arrives, only for cache misses, and before the response goes onto the cache. If this trigger modifies the response, the modified response stored in the cache.
• Viewer Response runs immediately before the response is returned to the viewer, for both cache misses and cache hits. If this trigger modifies the response, the modified response is not cached.

From this, you can see how this might be useful.

A Viewer Request trigger could check each request for a valid license key, and reject those without. For this, it would need access to a way to validate the license keys.

If your client base is very small or rarely changes, the list of keys could be embedded in the trigger code itself.

Otherwise, it needs to validate the key, which could be done by sending a request to the origin server from within the trigger code (the runtime environment allows your code to make outbound requests and receive responses via the Internet) or by doing a lookup in a hosted database such as DynamoDB.

Lambda@Edge triggers run in Lambda containers, and depending on traffic load, observations suggest that it is very likely that subsequent requests reaching the same edge location will be handled by the same container. Each container only handles one request at a time, but the container becomes available for the next request as soon as control is returned to CloudFront. As a consequence of this, you can cache the results in memory in a global data structure inside each container, significantly reducing the number of times you need to ascertain whether a license key is valid. The function either allows CloudFront to continue processing as normal, or actively rejects the invalid key by generating its own response. A single trigger will cost you a little under $1 per million requests that it handles.

This solution prevents missing or unauthorized license keys from actually checking the cache or making query requests to the origin. As before, you would want to customize the query string whitelist in the CloudFront cache behavior settings to eliminate license from the whitelist, and change the error caching minimum TTL to ensure that errors are not cached, even though these errors should never occur.