Skip to main content

4 posts tagged with "Web"

View all tags

Building a Blog Comment API with AWS Serverless

· 3 min read
ひかり
ひかり
Main bloger

I wanted to add a comment section to this blog, so instead of using an off-the-shelf solution like Disqus or giscus, I built my own API on AWS serverless. Here's a look at the design and implementation.

Architecture

Requests flow through the following stack:

Browser (www.hikari-dev.com)
  ↓ HTTPS
API Gateway
  ├── GET  /comment?postId=...    → Fetch comments
  ├── POST /comment               → Submit a comment
  └── PATCH /comment/{id}         → Admin (toggle visibility)

Lambda (Node.js 20 / arm64)

DynamoDB (comment storage)
  + SES v2 (admin email notifications)

The code is written in TypeScript and managed as IaC with SAM (Serverless Application Model). Lambda runs on arm64 (Graviton2) to shave a bit off the cost.

DynamoDB Table Design

The table is named blog-comments, with postId as the partition key and commentId as the sort key.

KeyTypeDescription
postIdStringPost identifier (e.g. /blog/2026/03/20/hime)
commentIdStringULID (lexicographically sortable by time)

Using ULID for the sort key means comments retrieved with QueryCommand are automatically returned in chronological order — which is why I chose ULID over UUID.

Spam Filtering

Before writing a comment to DynamoDB, the handler checks it against a keyword list defined in keywords.json.

If a keyword matches, the comment is saved with isHidden: true and isFlagged: "1", hiding it automatically. If nothing matches, it goes live immediately.

isFlagged is used as the key for a Sparse GSI. Comments that pass the filter don't get this attribute at all, which keeps unnecessary partitions from appearing in the index — good for both cost and efficiency. This is achieved simply by setting removeUndefinedValues: true on the DynamoDB Document Client.

export const ddb = DynamoDBDocumentClient.from(client, {
  marshallOptions: {
    removeUndefinedValues: true,
  },
});

Admin Email Notifications

Every time a comment is submitted, SES v2 sends me an email containing the author name, body, rating, IP address, and flag status.

The email is sent asynchronously, and any failure is silently swallowed. This keeps the POST response time unaffected by email delivery.

sendCommentNotification(record).catch((err) => {
  console.error("sendCommentNotification error:", err);
});

Privacy

IP addresses and User-Agent strings are stored in DynamoDB for moderation purposes, but they are never included in GET responses. This separation is enforced at the type level.

Security

LayerMeasure
NetworkAWS WAF rate limit: 100 req / 5 min / IP
CORSRestricted to https://www.hikari-dev.com
Admin APIAPI Gateway API key auth (X-Api-Key header)
SpamKeyword filter with automatic hiding

For the admin endpoint (PATCH /comment/{id}), setting ApiKeyRequired: true in the SAM template is all it takes to enable API key authentication — no need to implement a custom Lambda Authorizer.

Wrap-up

The serverless setup means no server management, and DynamoDB's on-demand billing keeps costs minimal for a low-traffic personal blog.

The whole thing is packaged with SAM + TypeScript + esbuild, and deploying is as simple as sam build && sam deploy.

My Number Card (Myna Card) - What Have I Used It For?

· 5 min read

This post summarizes how I've used my My Number Card, obtained in 2018, and what conveniences it has brought. I'll also cover the inconvenient aspects.

Things I've Used It For

  1. Printing Certificates at Convenience Stores
    • Copy of Resident Record
    • Certificate of Income

This is convenient because there's no need to specially visit a city hall (or branch office) and wait in line.

  1. Identity Verification
    • Smartphone communication contracts
    • Opening a securities account
    • Opening a bank account
    • Identity verification for "XXXX Pay" services
    • Identity verification for COVID-19 vaccine appointments

In the future, identity verification might become difficult without a My Number Card. Society is becoming less based on trust, so it might be unavoidable. It's good that I don't have to get a driver's license just for ID purposes when I don't drive. Probably about 20% of people are in this situation.

  1. Tax Returns (Kakutei Shinkoku)

I just had to enter numbers into the form and submit it. It's convenient, as it can also calculate medical expense deductions.

  1. Using it as a Health Insurance Card

It's good not to have to carry my health insurance card, but I've encountered problems several times where it couldn't be used due to bugs in the qualification verification system, so it seems best to carry my physical health insurance card just in case. It's convenient that information on medicines prescribed at pharmacies can be checked on MyNa Portal (especially for people with drug allergies). If I use my health insurance card instead of my Myna Card, will it still calculate medical expenses? I'm not sure about that.

  1. Moving-out Notification

Going to the city hall (or branch office) to submit a moving-out notification during the busy period at the end of March is daunting, but you can submit it online using MyNa Portal. The important thing to remember is not to forget the moving-in notification. (By the way, going to a branch office is less crowded than going to the main city/ward office.) It was a hassle to have to reset my My Number PIN when moving in.

  1. Smartphone Electronic Certificate

You can load your My Number electronic certificate onto your smartphone. It might be convenient as you can log in to MyNa Portal card-less.

Dissatisfactions

  1. Smartphone App NFC Even though the electronic certificate is on my smartphone, it always requests NFC. It's inconvenient that the app won't open without NFC being enabled, so I hope for improvement.

  2. My Number is Written on It Having the My Number written on the My Number Card creates a risk if it's lost. Although misuse is hard to imagine. I wish it were numberless like a credit card.

  3. Monochrome Photo The photo embedded in the My Number Card is monochrome. Why wasn't it in color?

  4. Troublesome Renewal Due to electronic certificate security, renewals are every 5 years. However, the card's validity period is 10 years. What? It seems it might or might not be improved.

  5. Hospitals Where the Card Cannot Be Used It seems the government provides some subsidies, so I hope they will support it.

  6. Too Many PIN Types There are four types of PINs. I wish there were just one, but is it difficult due to security? I don't know.

  7. Unstylish Card Design I wish it would emulate the design of a radio operator's license.

Probably Misunderstood Things

There are many off-base criticisms of the My Number Card, so I'll summarize them. Please understand the system before criticizing.

  1. Personal Information Linked from the My Number Card is Extracted This is partially correct. The My Number Card itself only contains basic personal information like address, name, gender, and date of birth. It probably contains less information than a driver's license. To view information linked to the My Number Card, you need to open the linked site and authenticate using the My Number Card. Linked information cannot be viewed without the My Number Card and its PIN. Of course, if you write the PIN on the card and then lose it, various pieces of personal information could be extracted. This point is similar to a cash card.

  2. The PIN is only 4 digits, and security is weak It's incorrect that security is weak. Consider logging into SNS on a computer; you can log in with an ID and password. On SNS, the ID is easily known, so you can log in if you have the password. No matter how complex the password, it's a single-factor authentication. On the other hand, the My Number Card uses two-factor authentication: possession of the card + knowledge of the PIN. The reason Windows and other systems allow logging in with a PIN is that two-factor authentication (possession + memory) is said to be more secure than single-factor authentication using a complex password.

  3. Errors in Health Insurance Card Linkage This is a linkage error by the health insurance association, a human error. The My Number Card is merely a personal authentication mechanism and is not the problem itself. However, there is an argument to be made about how to deal with errors in linkage by health insurance associations. Health insurance information can be checked on MyNa Portal, so it's advisable to check it once.

  4. 100% burden at the counter without a My Number Card is outrageous As before, you can receive a refund by processing it through your health insurance association. However, it seems they will introduce a "qualification certificate" system, which defeats the purpose.

Install Firefox Build

· One min read

Ubuntu 22.04 seems to have the snap version of Firefox installed, and it wasn't launching in some environments, so I'm documenting how to install the pre-built Firefox.

Uninstall apt / snap version of Firefox

sudo apt purge firefox
sudo snap remove firefox

Install Firefox Build

# Download
wget "https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=ja" --trust-server-names

# Extract
tar xvf firefox-*.tar.bz2

# Install
sudo cp -r firefox /usr/lib

# Create a symbolic link to the executable
sudo ln -s /usr/lib/firefox/firefox /usr/bin/firefox

# Download and place the desktop file
sudo mkdir -p /usr/share/applications
sudo wget https://bit.ly/3Mwigwx -O /usr/share/applications/firefox.desktop

How to Create an Icon (.ico)

· One min read

  1. Create an icon.

    How to create an icon

  2. Prepare seven PNG images of sizes 16, 24, 32, 48, 64, 128, and 256. How to create an icon

  3. Create an icon using the convert command. How to create an icon

convert *.png favicon.ico