I m converting an app to use SST and for that I m using the Serverless Stack #sst

I’m converting an app to use SST and for that I’m ...

Ross Coundon

04/20/2021, 9:08 PM

I’m converting an app to use SST and for that I’m using the ApiGatewayV1Api construct with a custom lamdba authorizer. The problem I have is that the event that’s passed to the lambda authorizer doesn’t look like an auth event. The type definition I’m using for the handler is APIGatewayTokenAuthorizerHandler which is what I’m using in other apps and receives a APIGatewayTokenAuthorizerEvent. APIGatewayTokenAuthorizerEvent has a property named authorizationToken which is used to validate the supplied token. However, in my SST app the event that arrives looks like a regular event with headers and body etc. The relevant parts of my SST definition look like this:

Copy code

const authFunc = new Function(this, 'AuthorizerFunction', {
  handler: 'src/main/handler/firebaseAuth.handler',
  timeout: 30,
  environment,
});

const authorizer = new RequestAuthorizer(this, 'Authorizer', {
  handler: authFunc,
  resultsCacheTtl: Duration.millis(0),
  identitySources: [IdentitySource.header('Authorization')], // I think this should extract the token and add to the authorizationToken property of the event
});

const retrieveHandler = new Function(this, 'retrieveHandler', {
  handler:
    'src/main/handler/retrieveFeedbackHandler.handleRetrieveFeedback',
  timeout: scope.local ? 30 : 5,
  environment,
});

const api = new ApiGatewayV1Api(this, 'CustFeedbackApi', {
  defaultAuthorizer: authorizer,
  defaultAuthorizationType: AuthorizationType.CUSTOM,
  cors: true,
  routes: {    
    'GET /retrieve': {
      function: retrieveHandler,
    },
  },
});

Is there something I’m missing in how to define the auth function or hook it up to the API?

Frank

04/20/2021, 9:11 PM

Hi @Ross Coundon, can you compare the CF template in

.build/cdk.out

with the one that’s generated in SLS?

Frank

04/20/2021, 9:12 PM

And look for the

AWS::ApiGateway::Authorizer

resource

Frank

04/20/2021, 9:12 PM

I suspect some of its properties might not be the same?

Ross Coundon

04/20/2021, 9:13 PM

unfortunately not, this was a claudiajs app

Frank

04/20/2021, 9:14 PM

Oh so the

AWS::ApiGateway::Authorizer

looks identitcle?

Ross Coundon

04/20/2021, 9:15 PM

I mean, it wasn’t deployed using sls, not sure how claudiajs works. I may be to able to get a cfn definition from elsewhere, hang on

Ross Coundon

04/20/2021, 9:15 PM

Can you remind me of the sls command to build but not deploy?

Frank

04/20/2021, 9:15 PM

sls package

Ross Coundon

04/20/2021, 9:16 PM

thank you

Frank

04/20/2021, 9:17 PM

not sure if claudiajs uses CF template under the hood, if they do u can inspect the template in CF console

Ross Coundon

04/20/2021, 9:18 PM

sls:

Copy code

"FirebaseAuthApiGatewayAuthorizer": {
      "Type": "AWS::ApiGateway::Authorizer",
      "Properties": {
        "AuthorizerResultTtlInSeconds": 0,
        "IdentitySource": "method.request.header.Authorization",
        "Name": "FirebaseAuth",
        "RestApiId": {
          "Ref": "ApiGatewayRestApi"
        },
        "AuthorizerUri": {
          "Fn::Join": [
            "",
            [
              "arn:",
              {
                "Ref": "AWS::Partition"
              },
              ":apigateway:",
              {
                "Ref": "AWS::Region"
              },
              ":lambda:path/2015-03-31/functions/",
              {
                "Fn::GetAtt": [
                  "FirebaseAuthLambdaFunction",
                  "Arn"
                ]
              },
              "/invocations"
            ]
          ]
        },
        "Type": "TOKEN"
      }
    },

SST

Copy code

"AuthorizerBD825682": {
      "Type": "AWS::ApiGateway::Authorizer",
      "Properties": {
        "RestApiId": {
          "Ref": "CustFeedbackApi10B0E354"
        },
        "Type": "REQUEST",
        "AuthorizerResultTtlInSeconds": 0,
        "AuthorizerUri": {
          "Fn::Join": [
            "",
            [
              "arn:",
              {
                "Ref": "AWS::Partition"
              },
              ":apigateway:eu-west-2:lambda:path/2015-03-31/functions/",
              {
                "Fn::GetAtt": [
                  "AuthorizerFunctionB4DBAA43",
                  "Arn"
                ]
              },
              "/invocations"
            ]
          ]
        },
        "IdentitySource": "method.request.header.Authorization",
        "Name": "devcustomerfeedbacksstdevcustomerfeedbackstackAuthorizer1A04D2EE"
      },
      "Metadata": {
        "aws:cdk:path": "dev-customer-feedback-sst-dev-customer-feedback-stack/Authorizer/Resource"
      }
    },

Ross Coundon

04/20/2021, 9:19 PM

so looks type is set to TOKEN vs REQUEST

Frank

04/20/2021, 9:21 PM

Change this

Copy code

const authorizer = new RequestAuthorizer(this, 'Authorizer', {
  handler: authFunc,
  resultsCacheTtl: Duration.millis(0),
  identitySources: [IdentitySource.header('Authorization')], // I think this should extract the token and add to the authorizationToken property of the event
});

to use the TokenAuthorizer

Frank

04/20/2021, 9:21 PM

Here’s are a couple of CDK examples https://docs.aws.amazon.com/cdk/api/latest/docs/aws-apigateway-readme.html#lambda-based-token-authorizer

Ross Coundon

04/20/2021, 9:22 PM

Cool - trying now. Was looking for a way to set the type on the RequestAuthorizer 😖

Frank

04/20/2021, 9:24 PM

yeah, the

ApiGatewayV1Api

construct isn’t doing a good job helping configure the authorizeors. If you got suggestions at any point, i’m all ears 🙂

Ross Coundon

04/20/2021, 9:25 PM

fantastic, that worked. Thanks again, still learning all these constructs

2 Views

Open in Slack

Previous Next