Blog
Thoughts on engineering, design, and building great products.
Security: IAM Least-Privilege, Throttling, and WAF
Tighten security for the product. Shrink each function's IAM to exactly the actions it needs instead of granting the whole read-write set, set throttling at API Gateway to fight abuse, discuss where to store secrets, and how to attach WAF to an HTTP API. Verify that least-privilege doesn't break functionality, and watch the system shed load when flooded.
Multi-Tenant: Each User Their Own Data Slice, and Blocking IDOR
Turn the URL shortener into a true multi-tenant system. Add a list-links route scoped to the identity in the token, and a delete-link route that checks ownership inside the write operation so one user can't delete another's link even if they guess the code right. Tested with two real users to see the boundary hold.
Cognito and JWT Authorizer: Only Logged-In Users Can Create Links
Add real users with Amazon Cognito. Stand up a user pool that issues JWTs, attach the HTTP API's JWT authorizer to protect the create-link route while the open-link route stays public, and have the handler read the user identity from a claim in the token instead of hard-coding it. Create a real user, get a real token, call the API with and without a token to see the boundary.