Neil Balcombe
05/26/2022, 1:36 PMthdxr
05/26/2022, 1:37 PMthdxr
05/26/2022, 1:37 PMthdxr
05/26/2022, 1:38 PMNeil Balcombe
05/26/2022, 1:45 PMthdxr
05/26/2022, 1:45 PMthdxr
05/26/2022, 1:48 PMcreateContext({
type: "user",
properties: { id: "id" }
})
I have various contexts since it might be a user authenticating or an api key or an internal service.
Then in my code before I do any work I'll do something like
context().assert.can("action")
Which will throw an exception if the current context cannot do the action. It's decoupled from the "who" and just specifies the "what" and these assertions can be implemented differently for different context typesthdxr
05/26/2022, 1:48 PMthdxr
05/26/2022, 1:49 PMthdxr
05/26/2022, 1:50 PMNeil Balcombe
05/26/2022, 1:52 PMthdxr
05/26/2022, 1:54 PMNeil Balcombe
05/26/2022, 1:56 PMthdxr
05/26/2022, 1:59 PMthdxr
05/26/2022, 2:00 PMNeil Balcombe
05/26/2022, 2:07 PMconst api = new Api(stack, 'Api', {
authorizers: {
jwt: {
type: 'jwt',
cdk: {
authorizer: new apigAuthorizers.HttpJwtAuthorizer('Authorizer', '<https://dev-8rchfy1d.us.auth0.com/>', {
jwtAudience: ['<https://aw6lgqy70i.execute-api.us-east-1.amazonaws.com>'],
}),
},
},
},
defaults: {
authorizer: 'jwt',
},
routes: {
'GET /private': 'functions/private.handler',
'GET /public': {
function: 'functions/public.handler',
authorizer: 'none',
},
},
});
I'm not familiar enough with CDK to know what needs to be done here.thdxr
05/26/2022, 2:07 PMNeil Balcombe
05/26/2022, 2:08 PMthdxr
05/26/2022, 2:08 PMNeil Balcombe
05/26/2022, 2:09 PMthdxr
05/26/2022, 2:09 PMKlaus
05/26/2022, 8:30 PMthdxr
05/26/2022, 9:04 PMthdxr
05/26/2022, 9:05 PM/user/id/photos
endpoint that should only be accessed by the user's friends. The logic for whether someone can read that information goes beyond a role or a basic check you can do at the API level (since you wouldn't load the whole list of friends into the jwt) and needs to happen at a deeper levelthdxr
05/26/2022, 9:06 PMFrank
// authorizer.ts
if (route.path.startsWith("/user/id/")) {
assertFriendPermission(userId, friendId);
}
else if (route.path.startsWith("/public")) {
// always grant permission
}
else {
assertUserPermission(userId);
}
Frank
Frank
Neil Balcombe
05/27/2022, 8:46 AMthdxr
05/27/2022, 12:16 PMthdxr
05/27/2022, 12:18 PMNeil Balcombe
05/27/2022, 12:52 PMthdxr
05/27/2022, 12:53 PMthdxr
05/27/2022, 12:54 PMNeil Balcombe
05/27/2022, 12:57 PMauthorizers: {
myAuthorizer: {
type: "lambda",
function: new Function(this, "Authorizer", {
handler: "src/authorizer.main",
}),
resultsCacheTtl: "30 seconds",
},
},
routes: {
'GET /private': {
function: 'functions/private.handler',
},
'GET /public': {
function: 'functions/public.handler',
authorizer: 'none',
},
'GET /admin': {
function: 'functions/admin.handler',
role: 'admin',
},
},
thdxr
05/27/2022, 12:58 PMthdxr
05/27/2022, 12:59 PMNeil Balcombe
05/27/2022, 1:02 PMKlaus
05/27/2022, 1:19 PMKlaus
05/27/2022, 1:19 PMNeil Balcombe
05/27/2022, 1:20 PMKlaus
05/27/2022, 1:20 PMjustindra
05/27/2022, 5:44 PM