Signed URL redirection service.
Firebase Dynamic Links is a useful service that allows me to generate sharable social links.
The generated links can be shared to social networks with specified title
, description
and image
.
function getDynamicLink(pageUrl, imageUrl, title, description) {
const dynamicLink = 'https://dtinth.page.link/?' + [
`link=${encodeURIComponent(pageUrl)}`,
`st=${encodeURIComponent(title)}`,
`sd=${encodeURIComponent(description)}`,
`si=${encodeURIComponent(imageUrl)}`,
].join('&')
return dynamicLink
}
However, for security, it is a best practice to restrict the usage of Dynamic Page Link to only domains that I own. This poses a problem when I want to link to 3rd party domains; I would have to edit the allowlist pattern for each new domain that I link to.
Instead of doing that I decided to create a signed URL redirection service. A redirect is authorized if it is properly cryptographically signed.
-
Get the URL to sign.
https://github.com/dtinth
-
Use TweetNaCl to sign the URL with my own private key. This generates a signature. Encode the signature as base64url.
k-4eL27uaLEgfSvL_KW9NeE2LxW_4gocHxerjOSBno7aR7MHUgGhj5CmHLW2LBgt6rxR_0zrZskZm66RwDtUCA
-
Construct a signed URL which lives on my personal domain
spacet.me
.https://warp.spacet.me/api/go ?u=https://github.com/dtinth &i=automatron &s=k-4eL27uaLEgfSvL_KW9NeE2LxW_4gocHxerjOSBno7aR7MHUgGhj5CmHLW2LBgt6rxR_0zrZskZm66RwDtUCA
-
Use that signed URL to generare a Firebase Dynamic Link.
Query Parameter | Description |
---|---|
u |
URL to redirect to |
i |
Issuer of the signed URL, which is registered in the API's source code |
s |
The signature, base64url-encoded |
p |
Prefix length for delegation (see below) |
In the above example, every individual URLs must be personally signed by me. But sometimes I want to allow others to use this service, but with restrictions. A common restriction is by using URL prefixes. Instead of signing the whole URL, a URL prefix can be signed instead.
-
Get the URL prefix to sign, and append
*
to it to get a URL pattern.https://wonderful.software/*
Also count the prefix length (excluding the
*
), here it is 27 characters. -
Sign the pattern to generate a signature:
QKrnwHJLl7kHMPllMozh38viYGLYvOWH9CRwrtUhMlnEa6Ill3nBEtvasGf1ygFp-tINQj_uyzCni1EsbqWYBw
-
Construct a signed URL:
https://warp.spacet.me/api/go ?u=https://wonderful.software/elect-live/pdd/ &p=27 &i=automatron &s=QKrnwHJLl7kHMPllMozh38viYGLYvOWH9CRwrtUhMlnEa6Ill3nBEtvasGf1ygFp-tINQj_uyzCni1EsbqWYBw
-
Use the signed URL.
I sign URLs through my personal chat bot automatron. It takes care of constructing the signed URL and holds the private key encrypted.