Understanding Shrine (The File Uploading Gem)
Goals for this blog post: to help you understand shrine, and concepts in buckets.
Shrine has a unique and different architecture. If you want to use the gem with any degree of sophistication, or peek under the hood, you might have some trouble following what is going on. This blog post, will hopefully be an effective panacea for that ailment.
(A) Understanding the plugin system
-
The first and most important thing you can do is understand how the plugin system works: please do read this blog first.
-
You can also check out this presentation here by Jeremey Evans (see the first 20 or so slides).
(B) Understanding Cloud and Bucket Concepts
What is this “bucket” thing?
You can think of it as a storage service. For example, if I want to own a blue whale - those creatures are huge - I might not have enough room in my apartment for such a creature. Where am I going to store it? Don’t worry: Amazon and Google have you covered. They offer a storage service where you can keep things. You simply pay them a small fee, and they will take care of looking after your blue whale for you.
It’s the same concept, except with computer files: an Amazon s3 bucket, is simply a place, where you can store your files. Amazon will let you control: who accesses your files, and will help you put files into the bucket, as required.
Credentials
If we want to place goods into our bucket, or remove them, we will need permission. Amazon gives us an ID card. They give us some credentials.
What is a signed URL?
Suppose a friend of your wants to see your Blue Whale. So he heads over to Amazon’s storage site and asks to see my whale. Guess what: the Amazon staff there say: “NO WAY!”. You need permission.
If you want someone to access the things in your bucket, you have to give them permission. Or, in other words, you have to give them a “Signed URL”.
This time, if I send my friend over to Amazon, I will give him or her piece of paper with some text written on it. This text is the presigned url. When they get to the storage facility, they will simply hand over the piece of paper to the Amazon staff, who will inspect it closely.
“Ok, I can see you have authorisation,” says the staff member. And now you can see the blue whale.
What is a pre-signed URL?
Ok now mr. Attacker - a bad guy - what’s to store some nuclear waste in my storate facility at Amazon. How are we gonna stop him?
Solution: anyone who wants to put something into our bucket, must be given permission. This permission is what is called a pre-signed URL. It’s basically a piece of paper. Amazon staff will look at that piece of paper and immediately know, whether I have authorised it or not.
Here’s more detail about the workflow:
- I drag and drop a file on UPPY. Then uppy will in turn call Shrine’s pre-signed url end point. Remember how we added the following here:
# routes.rb
mount Shrine.presign_endpoint(:cache) => "/s3/params"