supersoniko / dynamodb-paginator Goto Github PK

View Code? Open in Web Editor NEW

27.0 3.0 3.0 501 KB

Paginate DynamoDB results easily

Home Page: https://www.npmjs.com/package/dynamodb-paginator

License: MIT License

JavaScript 2.42% Shell 0.24% TypeScript 97.34%

nodejs dynamodb aws database pagination

dynamodb-paginator's Introduction

NOTE: This pagination library only works on indexes with a sort key.

Usage

Compatible with AWS SDK v3

import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
import { QueryCommand, DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
import { getPaginatedResult, decodeCursor } from "dynamodb-paginator";

interface UserPet {
  userId: number; // partition key (hash)
  petId: number; // sort key (range)
}

const client = new DynamoDBClient({});
const docClient = DynamoDBDocumentClient.from(client);

const limit = 25;
const defaultInput = {
  TableName: "UserPets",
  Limit: limit,
  KeyConditionExpression: "userId = :userId",
  ExpressionAttributeValues: {
    ":userId": 1,
  },
  ConsistentRead: true,
};

// Could be a cursor from a previous paginated result
const cursor = undefined;
const paginationInput = decodeCursor(cursor) || defaultInput;

const command = new QueryCommand(paginationInput);

const response = await docClient.send(command);

// By default the cursors are encoded in base64, but you can supply your own encoding function
const paginatedResult = getPaginatedResult<UserPet>(
  paginationInput,
  limit,
  response
);

// Output:
// {
//     data: T[],
//     meta: {
//         limit: number,
//         hasMoreData: boolean,
//         cursor: string,
//         backCursor: string,
//         count: number
//     }
// }

Security disclaimer

It's important to validate that the cursor has been generated by your service before passing it to the DynamoDB. If you don't, this opens a NoSQL vulnerability. A solution for this is signing/encrypting the cursor with a key.

Without encrypting the cursor, the partition and range key are also visible to the client consuming the cursor.

If your service offers authentication, it's also wise to validate that the cursor being parsed, was originally generated for that user/session. This is to prevent replay attacks.

Cursor encryption example

A simplified example of encrypting and decrypting the generated pagination cursor.

It's recommended to encapsulate the secured pagination code in a service, for ease of use.

import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
import { getPaginatedResult, decodeCursor } from "dynamodb-paginator";

const ENC_KEY = randomBytes(32); // set random encryption key
const IV = randomBytes(16); // set random initialisation vector
const ALGORITHM = "aes-256-cbc";

const encrypt = (val) => {
  const cipher = createCipheriv(ALGORITHM, ENC_KEY, IV);
  let encrypted = cipher.update(JSON.stringify(val), "utf8", "base64");
  encrypted += cipher.final("base64");

  return encrypted;
};

const decrypt = (encrypted) => {
  const decipher = createDecipheriv(ALGORITHM, ENC_KEY, IV);
  const decrypted = decipher.update(encrypted, "base64", "utf8");

  return JSON.parse(decrypted + decipher.final("utf8"));
};

const limit = 2;
const params = { TableName: "UserPets", Limit: limit };
// Example DynamoDB Output
const result = {
  Count: 2,
  Items: [
    { userId: 1, petId: 1 },
    { userId: 1, petId: 2 },
  ],
  LastEvaluatedKey: { userId: 1, petId: 2 },
  ScannedCount: 2,
};

// Pass a custom encoding function
const paginatedResult = getPaginatedResult(params, limit, result, encrypt);

// Pass a custom decoding function
const decodedCursor = decodeCursor(paginatedResult.meta.cursor, decrypt);

console.log(decodedCursor);
// Output:
// {
//   TableName: 'UserPets',
//   Limit: 2,
//   ExclusiveStartKey: { userId: 1, petId: 2 },
//   previousKeys: [ { userId: 1, petId: 2 } ],
//   back: false
// }

dynamodb-paginator's People

Contributors

Stargazers

Watchers

Forkers

sndpl cranberyxl raymundcuizon

dynamodb-paginator's Issues

ERR_MODULE_NOT_FOUND

Code Sample:

import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
import { ScanCommand, DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
import { getPaginatedResult, decodeCursor } from "dynamodb-paginator";

const client = new DynamoDBClient({
    region: 'us-east-2'
});

const docClient = DynamoDBDocumentClient.from(client);

const limit = 10;

const defaultInput = {
    TableName: "table",
    ProjectionExpression: 'blah'
};

const command = new ScanCommand(defaultInput);
const response = await docClient.send(command);

const paginatedResult = getPaginatedResult(
     paginationInput,
     limit,
     response
);

  console.log( response )

Result

node:internal/modules/esm/resolve:264
    throw new ERR_MODULE_NOT_FOUND(
          ^

Error [ERR_MODULE_NOT_FOUND]: Cannot find module 'C:\Users\user_name\Documents\test\node_modules\dynamodb-paginator\.dist\lib\paginator' imported from C:\Users\user_name\Documents\test\node_modules\dynamodb-paginator\.dist\index.js
    at finalizeResolution (node:internal/modules/esm/resolve:264:11)
    at moduleResolve (node:internal/modules/esm/resolve:917:10)
    at defaultResolve (node:internal/modules/esm/resolve:1130:11)
    at ModuleLoader.defaultResolve (node:internal/modules/esm/loader:396:12)
    at ModuleLoader.resolve (node:internal/modules/esm/loader:365:25)
    at ModuleLoader.getModuleJob (node:internal/modules/esm/loader:240:38)
    at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:85:39)
    at link (node:internal/modules/esm/module_job:84:36) {
  code: 'ERR_MODULE_NOT_FOUND',
  url: 'file:///C:/Users/user_name/Documents/test/node_modules/dynamodb-paginator/.dist/lib/paginator'
}

previousKeys

Every time a new paginated call is made, the encoded result becomes larger. Upon inspecting the cursor, I have noticed that a new item is added to the previousKeys object with each new paginated call. This eventually causes the object to become too large. Is there a way to prevent the saving of previous keys?

Please add disclaimer about the need for encryption and authentication

You are opening yourself up to NoSQL injections by simply accepting the cursor from the client, decoding it and passing it to dynamodb.query(). The decoded cursor also includes your partition and sort key in plain text which could leak additional sensitive data. Your client can easily decode the cursor and inject their own query, potentially extracting any data from your table. One solution is to encrypt the cursor. To also prevent users from replaying a cursor, you should also add a message authentication code (MAC) to ensure that the cursor belongs to the same user.

Well, how can one use this to create a both way navigation?

It is working with ExclusiveStartKey inserted into the request. However, I couldn't see how can the previous results be loaded or move backward while doing pagination?

{
  TableName: 'types',
  limit: '5',
  ExclusiveStartKey: { typeName: 'dog', breedName: 'american hairless terriers' }
}

@supersoniko

supersoniko / dynamodb-paginator Goto Github PK

dynamodb-paginator's Introduction

Usage

Security disclaimer

Cursor encryption example

dynamodb-paginator's People

Contributors

Stargazers

Watchers

Forkers

dynamodb-paginator's Issues

ERR_MODULE_NOT_FOUND

previousKeys

Please add disclaimer about the need for encryption and authentication

Well, how can one use this to create a both way navigation?

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent