Today only: the friendly package awards

Project URL: https://friendly-package-awards.glitch.me/

Editor link: Glitch :・゚✧

Create little awards for your favorite packages on npm, like this one:


Seriously?

Okay, it’s not really the point of this project to bug our community’s hard working maintainers. I made this project to demonstrate programmatically uploading assets to a Glitch project, using a “POST policy.”

Why?

In order to make this somewhat safe, I’ve set up this project with a POST policy Creating a POST Policy - Amazon Simple Storage Service. Getting one of these policies is a step I encountered in building snail-cli’s asset push tool. If this project gets pwned, the hope is that my whole account won’t get compromised.

The downside is that these POST policies are short lived. I’m seeing expiration times about a day after the policy is given to us.

An intermediate approach between putting your own persistent token on a project and putting only one of these POST policies on a project is if you would create a new “service” Glitch account and invite that service account to your project, and put the persistent token of the service account on the project. That way you could upload whenever. But if the project gets pwned, the attackers would get the service account’s persistent token and, with that, have full collaborator access to the project. But that’s something you risk anyway with the project invite token being in the environment already.

No, why these award images?

So here’s the other issue with programmatically uploading assets. Uploaded assets are associated with your project, and your project is associated with your account. And you can’t delete assets. If someone would upload something unlawful or otherwise objectionable, you couldn’t erase it. You could perhaps overwrite it, but the caching is very strong.

This whole awards thing is done as a way to limit the freedom of uploads. Users have very few things they can control about the image they create: the background color, the package, and the award category. The package has to be on npm for 90 days, and npm has its own code of conduct npm | policies | conduct. The category must be in Glitch’s friendly-words list, so that should be safe. And the colors are paired with the higher contrast of white or black text, so things should be okay there too.

Summary

Pros

  • it can be done
  • assets served from the CDN don’t need the project to be awake

Cons

  • using a POST policy requires you to refresh the policy each day
  • using a persistent token is more dangerous
  • you can’t easily clean up if your app uploads something objectionable
4 Likes

node-fetch is truly a delicious package.

1 Like