API module

API module
The API module is made available in the solution to represent an example of how to
integrate token management process into the Playback
API Gateway API section of
customer architecture. The API Gateway with two Lambda integrations is the central element of this
module, responsible for performing token-related operations, that is generating the token and
revoking a given session ID associated with the token. The two routes defined in HTTP API Gateway
configuration are:
-
/sessionrevoke
(allowed for POST requests) -
/tokengenerate
(allowed for GET requests)
As incoming request matches any of the two routes, an appropriate Lambda function is
invoked. Lambda function associated with /tokengenerate
path is responsible for
issuing the playback URL for a requested video asset (video asset specified as query string
parameter – id). This is possible with the use of NodeJS module provided with the solution
which exposes all the methods the Lambda function needs to handle token operations. However,
before the token can be issued, the preceding steps must be completed in the Lambda code to
collect and format the metadata about requested video asset and parameters that informs how
the token must be built. In a typical production environment, customers can run a form of
content management system to manage this type of required metadata. In the solution, the
element is abstracted as a DynamoDB video assets table to store the necessary information for
token generation. After you include the information about your video assets original (without
a token) playback URL and fill in token-related parameters for each asset, Lambda code can
fetch information by using video asset id that’s assigned to the metadata records in DynamoDB
table and generate the token accordingly. Last element involved in token generation process is
the signing key that also need to be retrieved before token generation method is called.
Solution’s library has dedicated class and set of functions to obtain the keys from the
Secrets Manager’s secrets defined for the launched stack.
The second route (/sessionrevoke
) points to another Lambda function which
parses the input of the POST request to pull the session ID and put it in the ingest DynamoDB
table from the base module as an entry point for revoking the session. Session ID submitted
through this path are flagged as MANUAL type in DynamoDB, which guarantees this session will be
prioritized over automatically pushed session as explained in previous section.
You can also choose to launch a demo website comprised of few additional elements in the architecture. The demo website is made available solely to test the solution and verify if it can be successfully integrated with your video workloads. However, we strongly recommend turning off the demo website before using the solution in a production environment with sensitive video content that should be protected. This is because the demo website provides a path to interact directly with API Gateway and obtain playback tokens by unauthorized viewers, or revoke legitimate sessions. When a demo website is activated, you can verify if, as a web client, you are able to acquire playback URL with the token that would grant you permission to watch the protected content. The demo website will also decode and expose structure of the token payload making it possible to confirm if the right parameters are included. Finally, it also allows testing manual revocation of the active playback session. The demo website is comprised of static assets stored in Amazon S3 bucket created when the solution is launched.
Both components of API module – API and static website are exposed through the same CloudFront
distribution that separates the traffic between API Gateway and S3 bucket by using CloudFront cache
behaviors. For the cache behaviors linked with API Gateway: /sessionrevoke
and
/tokengenerate
, a dedicated Lambda@Edge function is attached and invoked for
every API request to sign each of the outgoing requests with SigV4 signature. It is necessary
as API Gateway endpoint has IAM authorization activated to reject any token related requests
without sufficient permissions as defined in IAM policies. IAM execution role configured
for Lambda@Edge includes the right permissions that allows it to call the API Gateway endpoint,
therefore requests signed by this function’s invocation role credentials are accepted.