Hey guys shouldn t `auth attachPermissionsForUnauthUsers api Serverless Stack #help

Hey guys, shouldn't `auth.attachPermissionsForUnau...

Sam

01/20/2022, 3:00 AM

Hey guys, shouldn't

auth.attachPermissionsForUnauthUsers([api])

allow unauthenticated users access to my api? Api endpoints returns

{"message":"Forbidden"}

if I am unauthenticated. Am I missing something? Thanks!

Sam

01/20/2022, 3:04 AM

I even tried this, same problem.

Copy code

const policy = new iam.Policy(this, "AuthPolicy", {
            statements: [
                new iam.PolicyStatement({
                    effect: iam.Effect.ALLOW,
                    actions: ["execute-api:Invoke"],
                    resources: [`arn:aws:execute-api:${scope.region}:${scope.account}:${api.httpApiId}/*`]
                })
            ],
        });
        policy.attachToRole(this.auth.iamUnauthRole)

Daniel Gato

01/20/2022, 9:09 AM

Not sure it f this could help: Maybe you have some

authorizationType

on your route. I removed the default auth type from the API and add it individually on the routes:

Copy code

'GET /unprotected': {
  function: 'src/test.main',
},

'GET /protected': {
  authorizationType: ApiAuthorizationType.AWS_IAM,
  function: 'src/test.main',
},

Sam

01/20/2022, 11:41 AM

Yes I have IAM authorizationType, but isn't it supposed to work with that?

Daniel Gato

01/20/2022, 12:38 PM

If you have set globally for ALL the routes to use ApiAuthorizationType.AWS_IAM then all your routes will require authorization of that type.

Daniel Gato

01/20/2022, 12:39 PM

To my understanding, and I might be wrong here, you can’t at the same time: • enforce ApiAuthorizationType.AWS_IAM authentication • allow unauthenticated users My understanding - again could be wrong here : •

authorizationType

defines how your route is protected (the route itself) •

attachPermissionsForUnauthUsers

defines the resources an unauth user could access

Sam

01/20/2022, 1:15 PM

Oh, thanks for your input!

Devin

01/20/2022, 1:22 PM

For my non auth’d routes I have

Copy code

"POST     /beta-signup": {
          authorizationType: sst.ApiAuthorizationType.NONE,
          function: "src/betaSignUp.main" 
        },

Devin

01/20/2022, 1:22 PM

that’s basically a newsletter signup on an API that has mostly auth’d routes

Sam

01/20/2022, 1:32 PM

I don't want to use

sst.ApiAuthorizationType.NONE

because I want to check in the function whether the user is authenticated or not.

Devin

01/20/2022, 1:54 PM

Gotcha sorry I misunderstood the problem

Frank

01/20/2022, 7:20 PM

Hey guys, just to clear up some confusion,

auth.attachPermissionsForUnauthUsers([api])

will allow non-authed users to access the Api, both NONE and IAM authorized routes.

Frank

01/20/2022, 7:21 PM

@Sam are you still getting the Forbidden error?

Sam

01/21/2022, 1:02 PM

Thanks @Frank Yes, I'm still getting the 403 Forbidden error.

Frank

01/24/2022, 9:05 AM

Hey @Sam can you check the

x-amzn-errortype

response header and see if any of the following tips help? https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/

Frank

01/24/2022, 9:08 AM

Oh btw, for not logged in users, are you generating IAM credentials for them? Note that you’d still have to do that similar to how you are generating the credentials for the logged in users.

Sam

01/24/2022, 9:12 AM

Thanks a lot@Frank, Yes I resolved this issue by calling Auth.currentCredentials() on frontend, I am new to all of this, I thought it would work without credentials. 😅 Now I can use the same API endpoint for both authed and non authed users.

Frank

01/24/2022, 8:53 PM

Awesome!

2 Views

Open in Slack

Previous Next