Promocode – an end-to-end, Web-to-AWS API proof-of-concept

Overview

The cloud enables websites to easily add business capabilities regardless of their main web page hosting or web server solution.

This is a proof-of-concept of a web-to-API backend architecture.  For this use-case, it takes a promo code in input (either web or API/curl) then validates & maps it to a discount code on the backend (AWS), the response which is then returned for the web page to use.

This can be used for a wide variety of use-cases.  Instead of business logic getting buried (possibly exposed) in front-end javascript hacks or CMS customization, it can be kept in a clean & secure backend API.

Architecture

The POC is dabbling with a decoupled end-to-end web/cloud-based architecture which can hook any web page (including this one as you can see below) into a separate (and eventually secure) API.

It consists of :

• simple web-based HTML frontend using JQuery (hosted on JSFiddle), alternatively simply a ‘curl’ call
• Amazon Web Services stack including API Gateway + Lambda (business logic) + DynamoDB (noSQL)

The web page calls the AWS-hosted API & back-end services directly. Lambda receives the incoming form input, apply some simple rules and redirect the result to the output.  There is also an AWS Lambda call to a DynamoDB database whose response is also returned (just not yet fully coded in the response).

Demo

The frontend is hosted on JSFiddle, but you can check it out directly on the page here, just add a promotion code in the box & click the button (valid promo codes include: familypromo, bigbossdiscount, digitalnomad, free):

Alternatively on CURL:

• HTTP:GET
  curl -X GET https://117et24h53.execute-api.ap-southeast-1.amazonaws.com/beta?promocode=bigbossdiscount
• HTTP:POST
  curl -X POST -H "x-api-key: PM_ME_FOR_A_KEY" -H "Content-Type: application/json" -d "{""promocode"":""familypromo""}" https://117et24h53.execute-api.ap-southeast-1.amazonaws.com/beta

On security:

• HTTP:GET Currently there is no client API authorization key needed, the AWS service is throttled on the server side. Eventually more robust key-based security is quite easy to set up.
• HTTP:POST (ie: via curl) will return an error without a proper API key (PM me for one if you want to try it), but it does demonstrate that the API service can easily be locked down to only authorized users.
• Ideally the key would not be coded directly in the web page.  Ideally the web page’s could/should provide a server-side logic & proxy to receive the webpage request and add things like authorization key before redirecting it to the target AWS API.
• Cross-origin resource sharing (CORS) needed to be considered and managed.  Most web browsers comply with CORS, which prevents malicious web pages from calling unauthorized 3rd party websites and APIs, and will consequently return an error if the web page tries do to so (‘curl’ does not have this issue).  The “trick” is for the server-side to return a Access-Control-Allow-Origin in the HTTP Header.