The Cosync Storage module bridges the gap between MongoDB Realm and Amazon S3 Storage. The Storage module is one of the primary features of Cosync. The primary advantage of the Storage Module is that it does not require a client to upload assets to a MongoDB Realm server first, rather it supports direct upload to Amazon S3 directly from the client device. The MongoDB Realm Application simply acts a broker of sorts for URL management to the Amazon S3 Storage bucket. The benefits include:
- Easy to configure through the portal with Amazon S3 credentials
- Secure because it stores no Amazon Storage credentials on client device
- Built in client side code for image cuts, and HTTPS upload
- Support for progress notifications during the upload process
- Expiring read URLs for protecting sensitive assets
How does Cosync Storage works
Cosync recognizes that asset handling is important for most types of collaborative programming scenarios, and solves the issue through the Cosync Storage module. At present, Cosync Storage only supports the Amazon AWS S3 Storage bucket service, but has plans to implement the functionality on top of Microsoft Azure Blob Storage, and on Google Storage. The Storage service works by having the Cosync Portal initialize the MongoDB Realm Application with the Amazon S3 Storage Credentials, along with a number of server-side triggers and functions to process storage request. The Amazon S3 Storage Credentials are completely hidden from the client side code, and are securely saved on the server hosting the MongoDB Realm Application.
A client uses two classes or data-models to manage asset storage requests, and asset storage URLs. These data-models are Realm synchronized objects called:
A client makes a request to the MongoDB Application by creating a CosyncAssetUpload object with a status of pending. The MongoDB Realm Application responds to this request by communicating to the Amazon S3 Storage system, and computes a set of upload URLs on behalf of the client. Once the upload URLs have been computed, the MongoDB Realm Application sets the status of the CosyncAssetUpload object to initialized. The client can then respond by performing an HTTPS PUT request of the specific asset to the upload URLs in the CosyncAssetUpload object. When the upload is completed, the client sets the status in the CosyncAssetUpload object to uploaded. In a final step, The MongoDB Realm Application creates a CosyncAsset object to permanently record the asset in MongoDB Realm, and sets the status property in the CosyncAssetUpload object to completed.
The Cosync Storage module assumes that the partition name for the MongoDB Realm Application is called _partition. There are plans to make this configurable in an upcoming release of the product.
The Cosync Sample Application includes all the code necessary for a client to upload assets using the Cosync Storage module for all three platforms: Swift, Kotlin, and React-Native. The process should take a developer a minimal amount of time to get working.
Expiring URLs and asset security
Security is one of the biggest issues with URL based assets within a storage bucket system like Amazon S3. Since assets are stored independently of the MongoDB Realm database and Atlas server that supports it, URL access can pose a serious data breach risk. The problem is that if the URL to an asset were to escape the confines of the specific collaborative application for which it were intended, it would essentially be out there for the entire world to see. Imagine a scenario of a collaborative application that shared medical test records! Expiring URLs are the primary measure through which the Amazon S3 service has addressed this security issue. Using this scheme, a client can essentially configure a URL to expire in a matter or hours or minutes, enough time to display its content within an application, but no more.
The Cosync Storage module supports expiring URLs as a built-in feature. The CosyncAssetUpload object includes an expirationHours property, which specifies a floating point value in hours when the asset URLs should expire. Similarly, the CosyncAsset structure contains an expiration date expiration, which specifies when the asset expires. If the expirationHours is set to zero, the asset is said to be a public asset that never expires, in which case the read URLs to the asset that are stored within the CosyncAsset structure are always valid. For expiring assets, the CosyncAsset structure may contain expired URLs. A client can tell whether the URLs are expired if the current date is greater than the expiration date specified in the asset. To update the URLs to values that are not expired, the client side code must call the CosyncRefreshAsset() MongoDB Realm function, which is installed as part of the configuration process.