Security News
Supply Chain Attack Detected in Solana's web3.js Library
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
github.com/mchmarny/buttons
A co-worker recently told me about flic.io buttons. These button caught my attention because they can include triggers for single, double, or hold click and can be easily wired up to all kinds of actions.
I instantly thought of of a few really interesting applications. To start with though, I wanted to create a simple service that would allow me to push the custom data defined on each button over HTTP to Cloud PubSub. That in turn would then connect me to the many more actuation options through GCP APIs and services that connect to Cloud PugSub.
I went ahead and ordered 4-pack of Flic buttons and chose Cloud Run to implement my buttons
service.
In this demo I will illustrate how to:
You can deploy buttons
service in Cloud Run with a single... wait for it... click of a button. Just click on the "Run on Google Cloud" bellow and follow the prompts in Cloud Shell. When done, go to the Configuring Flic Button section to finish configuring your Flic buttons.
gcloud auth application-default login
gcloud services enable pubsub.googleapis.com
gcloud services enable run.googleapis.com
To store the data sent from each button action, first, we need to create a Cloud PubSub topic named clicks
gcloud pubsub topics create clicks
That should result with
Created topic [projects/YOUR_PROJECT_ID/topics/clicks].
Next deploy the generic Cloud Run service called buttons
. The code for that service is in this repository for you to review. There is already a public image available (see below), but if you want to, you can build your own copy with this command:
gcloud builds submit --tag gcr.io/YOUR_PROJECT_ID/buttons:0.1.2
For more information on how to build images using Cloud Build see here. You can skip the build step and use the already pre-built public image located at
gcr.io/knative-samples/buttons:0.1.2
Before we deploy the Cloud Run service we have to create a secret
which will be used to ensure that only data from your button will be accepted. To do that, replace the your-long-and-super-secret-string
string below with something more secure and define it as an environment variable using this command:
export SECRET="your-long-and-super-secret-string"
For more secure way to defining secrets in Cloud Run environment variables you can use the berglas library.
Now that we have the SECRET
defined, you can deploy the Cloud Run service. A couple of flags worth highlighting in the bellow command:
concurrency
- the button service is thread safe and doesn't store any internal state so we can turn the concurrency to maximum. More on concurrency hereallow-unauthenticated
- By default Cloud Run creates private services which can't be accessed by anonymous users. Since our buttons don't support more complex authentication scheme, we will expose the Cloud Run service to the public and validate each request using token
string in request header. More on allowing public access heregcloud beta run deploy buttons \
--region=us-central1 \
--concurrency=80 \
--allow-unauthenticated \
--image=gcr.io/knative-samples/buttons:0.1.2 \
--update-env-vars="SECRET=${SECRET}"
The response from the above command should look something like this
Deploying container to Cloud Run service [buttons] in project [YOUR_PROJECT_ID] region [us-central1]
✓ Deploying... Done.
✓ Creating Revision...
✓ Routing traffic...
✓ Setting IAM Policy...
Done.
Service [buttons] revision [buttons-00001] has been deployed and is serving traffic at https://buttons-*******-uc.a.run.app
You should be able to see that service in Cloud Run service list
$: gcloud beta run services list
SERVICE REGION LATEST REVISION SERVING REVISION LAST DEPLOYED BY LAST DEPLOYED AT
✔ buttons us-central1 buttons-00001 buttons-00001 mchmarny@*****.com 2019-06-01T00:10:06.059Z
You can also test the deployed service using curl
. Just make sure you replace the ***
part of the URL with the actual URL
returned by the above command.
curl -H "content-type: application/json" -H "token: ${SECRET}" \
-d '{ "version": "v0.1.0", "type": "button", "color": "white", "click": 1 }' \
-X POST https://buttons-*******-uc.a.run.app
You can always find the URL of your buttons
service by executing the following command
gcloud beta run services describe buttons --region us-central1 --format 'value(status.domain)'
To setup Flic buttons on your device follow the quick start instructions. Each one of the Flic buttons come with many pre-programmed actions. To execute above configured Cloud Run service though we will use the Internet Request
action.
To do that you will need to select one of your buttons on your device, expand the Advanced
category, and configure an action for either single
, double
, or hold
click.
That will get you to the HTTP Internet Request
action configuration screen
Few parameters to configure here:
Parameter | Description |
---|---|
URL | Enter the full URL of the Cloud Run Service |
Method | Select POST |
Content Type | Enter application/json |
Body | Enter your JSON message to send to the service (e.g. { "type": "button", "color": "white", "click": 1 } ) |
HTTP Header | Kye: token , Value: the value of the previously defined SECRET . Make sure you click the Insert button to "save" the header parameter |
When done entering the above parameters, click Done
in upper right corner to save the entire action. Now your Flic button is configured for use with Cloud Run.
Assuming all the above deployment steps were completed successfully, you should be able to click the button and see the following in GCP service:
clikc
) metric chartHopefully this demo gave you an idea on how to connect your Flic buttons and many other IoT devices to Cloud Run service. With the basic implementation in place we can start working on more creative solutions next.
This is my personal project and it does not represent my employer. I take no responsibility for issues caused by this code. I do my best to ensure that everything works, but if something goes wrong, my apologies is all you will get.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.