This article will provide solutions to the following problems:
- How to read and write cookies conveniently in cloud functions?
- How to store and use Session in Serverless?
- How to use input parameter verification to avoid malicious attacks?
How to conveniently read and write cookies in cloud functions?
The native cloud function passes in the cookie information through the headers in the Context, and writes the cookie by returning the set-cookie of the headers. This method is obviously not friendly enough for developers, so FaasJS encapsulates its read and write operations in @faasjs In the /http plug-in, you can read and write cookies in the following ways:
import { Func } from '@faasjs/func';
import { Http } from '@faasjs/http';
const http = new Http(); // Create http plug-in instance
export default new Func({
plugins: [http], // Put the http plugin instance into the cloud function plugin
async handler(){
console.log(http.cookie.read('key')); // Read cookie
http.cookie.write('key', 'value'); // Write cookie
}
});
How to store and use Session in Serverless?
In the serverless scenario, each cloud function is independent of each other. If the Session is processed uniformly, it will cause a large performance loss.
Therefore, in order to enable each cloud function to process Session information independently, it is recommended to encrypt the Session and store it in Cookie. In order to avoid too much Cookie information, it is recommended to store only necessary information, such as user_id.
Session usage examples are as follows:
import { Func } from '@faasjs/func';
import { Http } from '@faasjs/http';
const http = new Http();
export default new Func({
plugins: [http],
handler(){
// Write distinct_id in session as user_id
http.session.write('user_id', http.session.read('distinct_id'));
}
});
Input parameter verification
As network security becomes more and more important, FaasJS also has built-in parameter verification to avoid some attacks. Input parameter verification mainly supports the following functions:
- Supports verification of request parameters, Cookie and Session;
- Supports input parameter whitelist configuration. When encountering input parameters that are not in the whitelist, you can report an error or delete them;
- Verification rules include: required verification, type verification, enumeration value verification, and setting default values;
- Verification rules support multi-level verification and are used to verify object and array types.
The code example is as follows:
const http = new Http({
validator: { // Configure input parameter verification
params: { // Verify request parameters
whitelist: 'error', // If a non-whitelist input parameter is found, an error will be reported
rules: { // Verification rules for each parameter
key: { // parameter name
required: true, // required
type: 'object', // parameter type
config: { //Multi-layer verification
whitelist: 'error',
rules: {
subKey: { // parameter name
in: [1, 2], // Enumeration value verification
default: 1 //Set the default value
}
}
}
}
}
}
}
});
Since the input parameter verification function supports Session, it can be used for simple authentication. For example, the user_id in the Session is required to be verified to determine whether the user is logged in.