feat(apigateway): lambda token authorizer #5197
Conversation
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
nija-at
changed the title
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.handler/index.ts
Outdated
Show resolved
Hide resolved
nija-at
changed the title
nija-at
changed the title
There was a problem hiding this comment.
See my comment under this: https://github.com/aws/aws-cdk/pull/5197/files#r350887652
| /** | ||
| * Returns a lazy that will resolve to the restApiId at the time of synthesis. | ||
| */ | ||
| protected get restApiId(): string { |
There was a problem hiding this comment.
OK, I think the base class is basically not needed. The IAuthorizer interface should implement the "bind" pattern (like lambda.Code) and allow derived classes to access the RestApi object. There is no need to store it at the base class.
This is also inline with my comment below about authorizers reporting their own type, which will make the API much cleaner.
So instead of:
authorizationType: apigateway.AuthorizationType.CUSTOM,
authorizer: authThe eventual API I would envision is:
authorizer: apigw.Authorizer.custom(lambdaHandler, { /* ... */ });Or for IAM:
authorizer: apigw.Authorizer.iam()
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
packages/@aws-cdk/aws-apigateway/lib/authorizers/authorizer-base.ts
Outdated
Show resolved
Hide resolved
| * Check if the given object is of type CustomAuthorizer | ||
| * @internal | ||
| */ | ||
| public static _isAuthorizer(x: any): x is AuthorizerBase { |
There was a problem hiding this comment.
Why is this internal? Wouldn't users want this functionality as well?
packages/@aws-cdk/aws-apigateway/lib/authorizers/authorizer-base.ts
Outdated
Show resolved
Hide resolved
| * The authorizer ID. | ||
| * @attribute | ||
| */ | ||
| public abstract readonly authorizerId: string; |
There was a problem hiding this comment.
This seems like a duplication, no? Also available in AuthorizerConfig...
There was a problem hiding this comment.
Required since this is a subclass of IAuthorizer. Typescript enforces that all abstract subclasses either implement abstract methods and properties, or re-indicate them as being abstract.
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
5 similar comments
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
* Authorizer -> Authorization * drop using Physical Name
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
* simplify authorizers class design - rename `AuthorizerBase` to `Authorizer`. This class should actually have the `CfnAuthorizer` instantiation, but will only be introduced when an additional authorizer is included. - simplify `AuthorizerBase` dramatically - move logic to cache `restApiId` from `AuthorizerBase` to `TokenAuthorizer`. When an additional authorizer is added, we will refactor. - remove the usage `Authorizer.token`. It is non-idiomatic in this context since we support one authorizer reused multiple times. * moved Authorizer to authorizer.ts * fix broken references and types Co-authored-by: Niranjan Jayakar <16217941+nija-at@users.noreply.github.com>
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| @@ -586,23 +586,23 @@ export = { | |||
| ResourceId: { Ref: "myapichildA0A65412" }, | |||
| Integration: { Type: 'AWS' }, | |||
| AuthorizerId: 'AUTHID', | |||
| AuthorizationType: 'COGNITO_USER_POOLS', | |||
There was a problem hiding this comment.
CF doc for Method states in the the AuthorizationType property section - "If you specify the AuthorizerId property, specify CUSTOM for this property. "
The original change contained validation to this effect and hence the test needed to be modified.
Since then, I think there is a documentation error here because the rule is not true when using cognito for authentication. In this case, both the AuthenticationType property on the Method and type property on the Authorizer should be COGNITO_USER_POOL.
I've reverted changes to this test file. At some point in the future, we might need additional validation, but I'd rather not mix this up with this (already long) PR.
I am in the process of modifying the PR. The resolved comments have been addressed locally on my workspace, but the code is not ready to be pushed yet. |
nija-at
added
pr/do-not-merge
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request is now being automatically merged. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request is now being automatically merged. |
|
@nija-at @eladb This is breaking the I can send a quick PR to make either make |
|
Internal reference: issues/CFN-30099 |
Authorizers provide functionality to manage and control access to
specific or all methods on a RestApi endpoint.
The lambda token authorizer expects the authorization token to be part
of the request's header and passes this to a lambda function that can
then either allow or deny access the requester access to the resource.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
closes #1402
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license