Need advice/tips on auth process

Hi. Suppose the following scenario where I have an eBook sold on Amazon or any other venue. Once a copy of the eBook is sold I need to grant the buyer an access to a web page/app that is accessible only to users who bought the eBook. I believe, once a copy is sold I receive a notification from Amazon that the eBook was sold, but there’s no relation between that transaction and granting access to a protected site. What would be the possible solutions to accomplish this task? Thanks in advance for sharing your ideas.

You can use a webhook that would create a database of user permissions to your products.

How you would serve those digital products to individuals with access depends on the technology stack.

My corporation is heavy on AWS because of flexibility, cost and sustainability efforts to be running on 100% renewable energy by 2025.

We will be tackling the same problem although not a priority.

With AWS I would create a Restful HTTP API using API gateway that acts as webhook to purchase notifications. Build a database of permissions or create users in Cognito with access to the digital products stored in restricted bucket in s3. Most of that would be configuration of AWS services with the exception of the webhook which would be a lambda. Users would than be able to login and download contents in the s3 bucket which they have authorization to do so.

That is distributed computing model but you could also program your own application that would authenticate users, list products, and have users download them. That requires much more code than the cloud approach. However, the cloud approach would require understanding how the services mentioned interconnect which can be a bit of a learning curve.

Hey thanks windbeneathmywings for the explanation. I’m not versed with the technologies you’ve mentioned, but I kinda got the whole idea of what you explained. In my case scenario it would be much simpler since the eBook would be sold at the Amazon store. In one of the chapters of the eBook I would give the url for the support website, once the user access the url there will be presented a webpage with only an input where the user would enter a password. The password would be sent to the user after he contact me via email. Nothing automated since I initially don’t expect heavy sales. Basically the index page of the site is a “gate” and once the user is granted access he then access the rest of the site. By the way, the website is just a SPA made with SvelteKit, very similar to another Svelte app I made and is accessed for free as a Google Chrome Extension. Can be seen at:{notes}/iofllijbdhfjeldndldjabjmejbkeabd/ . The site is similar to the Chrome extension, but with some specific content that supports the eBook’s content and I want that to be only accessible to users who bought the eBook.

Do you have an existing back-end api or just the front-end app? If so what language and/or framework is being used for the rest api. Do you have a login / sso (single sign on)?

I use AWS Cognito for SSO which provides advanced security like MFA for all my corporations apps now and in the future. Didn’t need to write any code login and all supplied for no cost. Okta and Auth0 are also very popular if you would like to avoid the security vulnerable rabbit hole of creating your own single sign on system.

At the moment I just have finished the front-end app, made using SvelteKit and the idea is like you’ve mentioned: to avoid re-inventing the wheel, so things like Auth0 are good candidates to solve my issue. I’ve just finished a tutorial with Svelte and Auth0 and it just works, which is good news.
I don’t have a web hosting solution yet, I’ll take a look at AWS as you’ve also mentioned, but maybe it’s going to be overkill for my needs? In case you know about other possibilities for web hosting, please let me know. I’m not experienced with using the services of a web hoster, so probably there are some gotchas too?

I’ve found the simplest way to host a static site is using github pages.

My corporation has several demos on github pages but has since migrated to aws. We use s3 and cloudfront which can be a bit of a learning curve to setup but provides a lot of flexibility. For example, using cloudfront one can implement edge functions to augment requests and responses from origins at scale with low latency.

Having said that AWS is a complete solution which has a learning curve. However, my corporation has made infrastructure and hosting an integral part of the application development process. When all that is required is static hosting combining s3 with cloudfront using aws might be a bit of an over kill. The architecture is more suited for enterprise ambitions.

None the less, you will need to build a rest api for webhook integration. I highly recommend serverless framework for that. AWS has a very generous free tier for serverless development resources ie. api gateway and lambda. You will also need a database and there are several options available on AWS for that. Including a serverless relational database called Aurora that is directly compatible with MySQL without the high cost of dedicated instances.

Distributed cloud services are the gateway to building highly available, scalable, secure professional robust APIs and web experiences regardless of vendor although I highly recommend AWS. Many cloud vendors including AWS also have sustainability obligations to shareholders which is putting them on track to be running on 100% renewable resources in a couple years time. The climate is fast becoming engrained in every part of society and tech industry is no different. So its worth considering sustainability and carbon emissions of software being developed since those numbers will directly impact companies in the future.

I was looking at the AWS website and actually signedup for the free account. I just found a non-offcial Svelte adapter for AWS and I’ll be testing that. I believe the first part which is to deploy and test the app will be straight-forward, but I’ll have to check the Cognito feature so I can implement the initial “gate” so just authenticated and then authorized users can access the app. I also believe that the authentication part will be relatively easy to accomplish and then I need to save a flag into the DB so only users who actually bought the product can have further access. Quite a learning curve, but if I figure out how to do this, it can be useful for future projects as well, so…

There is a HUGE market for AWS cloud development professionals. AWS is the uncontested leader in the cloud. Furthermore, AWS is a enterprise solution. The authentication system that is created in Cognito now can be shared between all your apps in the future. Providing one single point of sign on for organization wide management of users.

Considering you are going down that path there is also a lesser known but very powerful feature of Cognito. That feature is federated identities. Federated identity pools can be used to securely communicate with ALL AWS apis directly in the browser. In many cases this can eliminate the need to build your own APIs.

So if you need to store data on the server in a database you can do so securely directly in the browser without needing to write your own REST api using signed requests. In some cases the AWS JavaScript api will actually do this for you like with the s3 JavaScript sdk.

Thanks man for all the info … overwhelming at first but I’ll do it one at a time … I’ll concentrate myself on Deployment today if all goes right, then I’ll begin studying the Cognito part … let’s see :slight_smile:

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.