0

I have a cordova application which downloads a zip file as blob from azure. Since I am very new to azure, I would like to know that is it okay security wise to access azure blob with SAS url from the cordova application ?

My point is that I would need to append the shared access signature (SAS) token to the blob url, something like below. 

https://myazureportal.container.blobs/myblob?MY_SAS

This way my javascript code will have SAS hard-coded. What is the correct approach since I would prefer to access blob using javascript only and preferably without writing any server side code if possible ?

if I use SAS inside javascript files of my cordova application, is it a security flaw ? If so, any approach to implement the same using purely javascript only ?

Things I tried:

  1. Created a back-end WEB-API service in ASP.NET Core and this way, I would be able to download the blob file but I am looking for is a pure javascript approach.
Improve this question

3 Answers 3

Reset to default
1

Apart from the point mentioned by Eric about code being decompiled, there are a few other things you would need to worry about.

  • If you are embedding the SAS URL in your application, you will have to make them long-lived i.e. with an expiry date far out in future. That's a security risk and is against best practices.
  • A shared access signature is created using an account key and becomes invalid the moment you regenerate your account key. If you're embedding SAS URL in your application and have to regenerate your account key for any reason, your SAS URL becomes essentially useless.

You can learn more about the best practices for SAS Token here: https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#best-practices-when-using-sas.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Yes it is a security flaw as your app can be decompiled and your code inspected. If you want to keep this approach, at least have a login connected to a back-end that sends the SAS back to your front-end. Ideally you would do everything in the back-end and return the blob to your front-end.

Improve this answer

Comments

0

We found the bundled versions of the azure javascript client library here: https://github.com/Azure/azure-storage-node/blob/master/browser/README.md

Assuming you are generating your per-transaction (file operation) SAS token behind the scenes with a short expiration, the native library will work for your solution and be 100% secure.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.