Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sam local start-api Missing Authentication Token for root path '/' #437

Closed
0xdevalias opened this issue May 24, 2018 · 27 comments
Closed

sam local start-api Missing Authentication Token for root path '/' #437

0xdevalias opened this issue May 24, 2018 · 27 comments

Comments

@0xdevalias
Copy link

@0xdevalias 0xdevalias commented May 24, 2018

Description:

When I run sam local start-api -s public/ and try to access my endpoint, I receive a Missing Authentication Token in the browser. This same code runs fine when deployed to lambda, and correctly exposes my endpoint without auth required.

FOO:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-FOO
      CodeUri: ./target
      Handler: foo
      Runtime: go1.x
      Tracing: Active
      Events:
        CatchAll:
          Type: Api
          Properties:
            Path: "/{proxy+}"
            Method: ANY

Observed result:

Missing Authentication Token

Expected result:

My API is exposed without auth.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

macOS

Output of sam --version:

SAM CLI, version 0.3.0

@0xdevalias
Copy link
Author

@0xdevalias 0xdevalias commented May 24, 2018

Starting from scratch for debug:

sam init --runtime go1.x
cd sam-app
dep init
GOOS=linux GOARCH=amd64 go build -o hello-world/hello-world ./hello-world
sam local start-api

Attempting to access http://127.0.0.1:3000/ I see Missing Authentication Token (with no endpoint mapped there)
Attempting to access http://127.0.0.1:3000/hello it works as expected.

Changing the HelloWorldFunction to use /{proxy+}:

HelloWorldFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: hello-world/
      Handler: hello-world
      Runtime: go1.x
      Tracing: Active # https://docs.aws.amazon.com/lambda/latest/dg/lambda-x-ray.html
      Events:
        CatchAll:
          Type: Api
          Properties:
            Path: "/{proxy+}"
            Method: ANY
      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          PARAM1: VALUE

Now when I access http://127.0.0.1:3000/anythinghere it continues to work as expected.. so I don't think that is my issue.

Edit: Digging a little deeper.. it looks like even if I explicitly set the path to Path: "/" I get the same Missing Authentication Token when trying to access it. I wonder if that is somehow playing into this issue, even when trying to proxy it?

Edit2: Additional context, using https://github.com/gorilla/mux + https://github.com/awslabs/aws-lambda-go-api-proxy internally. When I set the path to Path: "/example" in my main project, that 1 endpoint works properly and doesn't produce Missing Authentication Token. When it is set to proxy though, my code never even gets reached/started. If I set my project to Path: "/a/{proxy+}" and try to access any of the URLs, my code starts correctly (then gets a 404 because that route doesn't exist)

@terrywarwar
Copy link

@terrywarwar terrywarwar commented Jun 20, 2018

I'm getting the same error with SAM CLI, version 0.4.0. It doesn't look like it's routing to the static files in my case.

2018-06-20 14:50:36 Mounting static files from /Users/terry/go/src/app/public at /
2018-06-20 14:50:36 Mounting SampleFunction at http://127.0.0.1:3000/api/{proxy+} [GET, DELETE, PUT, POST, HEAD, OPTIONS, PATCH]
2018-06-20 14:50:36 You can now browse to the above endpoints to invoke your functions. You do not need to restart/reload SAM CLI while working on your functions changes will be reflected instantly/automatically. You only need to restart SAM CLI if you update your AWS SAM template
2018-06-20 14:50:36  * Running on http://127.0.0.1:3000/ (Press CTRL+C to quit)
2018-06-20 14:50:42 127.0.0.1 - - [20/Jun/2018 14:50:42] "GET / HTTP/1.1" 403 -
2018-06-20 14:50:42 127.0.0.1 - - [20/Jun/2018 14:50:42] "GET /favicon.ico HTTP/1.1" 403 -

@terrywarwar
Copy link

@terrywarwar terrywarwar commented Jun 23, 2018

Shouldn't localhost:3000 -> serves the index.html?

@jfuss
Copy link
Contributor

@jfuss jfuss commented Jul 18, 2018

So this is an issue with Flask and how the endpoints are modeled. By default Flask does not resolve the / as apart of the /{proxy+} route. This means we need to handle / (the root path) separately. There maybe a way to configure this behavior by default but haven't investigated that deeply yet.

@terrywarwar

Shouldn't localhost:3000 -> serves the index.html?

Maybe? But SAM CLI can't since we support API to Lambda on the same root path, so there can be path conflicts. Instead, you should just add the /index.html to the path explicitly.

Marking this as a bug

@amcp
Copy link

@amcp amcp commented Aug 15, 2018

I am getting this issue only on GET calls. POST works fine.

@tomasaschan
Copy link

@tomasaschan tomasaschan commented Nov 27, 2018

@amcp I'm seeing the opposite; GET works fine, while POST yields this error. None of my paths are /, i.e. I'm GETting and POSTing to e.g. /foo and /bar.

Windows 10, SAM CLI version 0.7.0.

@nealio82
Copy link

@nealio82 nealio82 commented Dec 10, 2018

I'm experiencing the same. Using SAM local POST works fine, but GET returns the "missing authentication token" on all catch-all routes, unless I add the first part of the route into the template.yaml config.

eg:

using path: /{proxy+}, method: ANY

GET /api/books, and /api/books/[id] returns missing authentication token

whereas using path: /api/{proxy+}, method: ANY

GET /api/books, and /api/books/[id] work as expected

Both configurations appear to work normally once deployed to the cloud.

I think this is going to become more prevalent as an issue now the runtime API has opened new languages and frameworks up to Lambda, and more people are going to get on-board with developing serverless functions locally, expecting their chosen language / framework to handle routing for them.

MacOS, SAM CLI version 0.8.1

@jfuss
Copy link
Contributor

@jfuss jfuss commented Dec 10, 2018

@nealio82 While the results are the same, your issue is different than the original issue. I commented above on what this issue relates to.

Please open a separate issues so we can track and investigate separately.

@nealio82
Copy link

@nealio82 nealio82 commented Dec 10, 2018

@jfuss Ok, shall do :) Although I'm not sure that it is different? Looking at the original bug report by @0xdevalias it looks like the config is almost exactly the same as the config I have, and their experience is the same... (the only difference I can see is that I also have path: / configured in my template.yaml to match the / route, and @0xdevalias doesn't)

@jfuss
Copy link
Contributor

@jfuss jfuss commented Dec 10, 2018

@nealio82 You didn't state anything about a root path (/) being configured. Your statement makes it sound like /{proxy+} is causing other paths not to resolve.

@nealio82
Copy link

@nealio82 nealio82 commented Dec 10, 2018

Ah, sorry, I didn't think it was relevant - I was adding context to the fact I'm seeing the same as the OP, and I didn't want to simply add an unhelpful '+1' or 'me too' comment. The root path works OK, as implied by 'GET returns the "missing authentication token" on all catch-all routes'.

@jfuss jfuss changed the title sam local start-api Missing Authentication Token sam local start-api Missing Authentication Token for root path '/' Dec 27, 2018
@dhruvsood dhruvsood added this to the Backlog milestone Jan 18, 2019
@metaskills
Copy link
Contributor

@metaskills metaskills commented Mar 5, 2019

I had opened #1037 and closed it because I think this is the root issue. Thanks!

@dpeek
Copy link

@dpeek dpeek commented Mar 9, 2019

So I think I might have found a way to fix this – commenting out the static files config passed to flask here allows /{proxy+} paths to resolve.

Happy to put together a PR, but not sure what you want to do... while serving static files is useful it's not something that APIG does and users can achieve something similar with a lambda serving files at a specific route.

If you want to avoid a breaking change, seems like path of least change is to only pass this config to flask if the user specifies the --static-dir argument?

@dpeek
Copy link

@dpeek dpeek commented Mar 9, 2019

Erm, scratch that. Was switching between samdev and sam and it seems my issue sorted it self out and now /{proxy+} resolves fine. Ignore me!

@metaskills
Copy link
Contributor

@metaskills metaskills commented Mar 10, 2019

Not for me.

@metaskills
Copy link
Contributor

@metaskills metaskills commented Mar 11, 2019

CONFIRMED! Setting static_url_path=None in local_apigw_service.py does allow /{proxy+} to work. I have confirmed with Flask that these two options are incompatible. I think it is important that local development allow root proxy and serving static files from root needs to be re-considered. What do other's think?

@StoneCypher
Copy link

@StoneCypher StoneCypher commented Mar 19, 2019

it's amusing because this breaks your front page hello world example as generated by your kit

@StoneCypher
Copy link

@StoneCypher StoneCypher commented Mar 19, 2019

it's actually pretty concerning that nine months after you found out your baseline generated code doesn't serve root correctly, it's still an outstanding bug

that's a one-liner route fix in flask

@metaskills
Copy link
Contributor

@metaskills metaskills commented Mar 20, 2019

Well in fairness, they have done ALOT of work and if I had to pick, I'd say I appreciate the effort being able to run Ruby on Lambda and other things vs something I can hack locally that is not an issue when deployed. That said, would be nice to see fixed.

@kaihendry
Copy link

@kaihendry kaihendry commented Apr 4, 2019

I followed https://github.com/stackery/php-lambda-layer to also get this "Missing Authentication Token". I've read this and I'm non-the-wiser.

Is there an error with https://media.dev.unee-t.com/2019-04-04/template.yaml ?

SAM CLI, version 0.14.2

Must say the SAM cli is a bit rough around the edges. Why can't it print the endpoint in the CLI? zomg. https://s.natalian.org/2019-04-04/1554348366_2560x1440.png

@dorneanu
Copy link

@dorneanu dorneanu commented Aug 8, 2019

Hi,

are there any updates on this one? I have exactly the same issue.

@iceback
Copy link

@iceback iceback commented Aug 8, 2019

THIS IS A MACOS VERSION OF #1316
kitselas:~$ sam --version
SAM CLI, version 0.18.0
kitselas:bin root# docker --version
Docker version 19.03.1, build 74b1e89

begin: template.yaml
Transform: 'AWS::Serverless-2016-10-31'
Resources:
PedigreesFunction:
# This resource creates a Lambda function.
Type: 'AWS::Serverless::Function'

Properties:
  # This function uses the Nodejs v8.10 runtime.
  Runtime: python3.7
    
  # This is the Lambda function's handler.
  Handler: app.lambdb_handler
  
  # The location of the Lambda function code.
  CodeUri: ./lambda-scripts/get-pedigrees.py
  
  # Event sources to attach to this function. In this case, we are attaching
  # one API Gateway endpoint to the Lambda function. The function is
  # called when a HTTP request is made to the API Gateway endpoint.
  Events:
    PedigreesApi:
        # Define an API Gateway endpoint that responds to HTTP GET at /thumbnail
        Type: Api
        Properties:
            Path: /pedigrees
            Method: GET

end template.yaml
sam validate
2019-08-08 10:56:23 Found credentials in shared credentials file: ~/.aws/credentials
/Users/rjs3/utah/dev/aws/pprapp/PPRConsole/template.yaml is a valid SAM Template

hit localhost:3000/pedigrees

kitselas:PPRConsole$ sam local start-api
2019-08-08 10:57:41 Mounting PedigreesFunction at http://127.0.0.1:3000/pedigrees [GET]
2019-08-08 10:57:41 You can now browse to the above endpoints to invoke your functions. You do not need to restart/reload SAM CLI while working on your functions, changes will be reflected instantly/automatically. You only need to restart SAM CLI if you update your AWS SAM template
2019-08-08 10:57:41 * Running on http://127.0.0.1:3000/ (Press CTRL+C to quit)
2019-08-08 10:58:38 Invoking app.lambdb_handler (python3.7)
2019-08-08 10:58:39 Found credentials in shared credentials file: ~/.aws/credentials

Fetching lambci/lambda:python3.7 Docker container image......
2019-08-08 10:58:40 Mounting /Users/rjs3/utah/dev/aws/pprapp/PPRConsole/lambda-scripts/get-pedigrees.py as /var/task:ro,delegated inside runtime container
2019-08-08 10:58:41 Exception on /pedigrees [GET]
Traceback (most recent call last):
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/api/client.py", line 261, in _raise_for_status
response.raise_for_status()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http+docker://localhost/v1.35/containers/f0123288c45dd08164d6cf5ca4d3d598984a0d2213263c35dc671c254948013f/start

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 2317, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1840, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1743, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/_compat.py", line 36, in reraise
raise value
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1838, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1824, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/apigw/local_apigw_service.py", line 156, in _request_handler
self.lambda_runner.invoke(route.function_name, event, stdout=stdout_stream_writer, stderr=self.stderr)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/commands/local/lib/local_lambda.py", line 93, in invoke
self.local_runtime.invoke(config, event, debug_context=self.debug_context, stdout=stdout, stderr=stderr)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/lambdafn/runtime.py", line 86, in invoke
self._container_manager.run(container)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/docker/manager.py", line 98, in run
container.start(input_data=input_data)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/docker/container.py", line 189, in start
real_container.start()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/models/containers.py", line 392, in start
return self.client.api.start(self.id, **kwargs)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/utils/decorators.py", line 19, in wrapped
return f(self, resource_id, *args, **kwargs)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/api/container.py", line 1091, in start
self._raise_for_status(res)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/api/client.py", line 263, in _raise_for_status
raise create_api_error_from_http_exception(e)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/errors.py", line 31, in create_api_error_from_http_exception
raise cls(e, response=response, explanation=explanation)
docker.errors.APIError: 400 Client Error: Bad Request ("OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused "rootfs_linux.go:58: mounting \"/Users/rjs3/utah/dev/aws/pprapp/PPRConsole/lambda-scripts/get-pedigrees.py\" to rootfs \"/var/lib/docker/overlay2/4248cf995aab0b8fb6cdd0db26dde5c5a99ccb31fce1c217a8c07cd8e6268704/merged\" at \"/var/lib/docker/overlay2/4248cf995aab0b8fb6cdd0db26dde5c5a99ccb31fce1c217a8c07cd8e6268704/merged/var/task\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type")
2019-08-08 10:58:41 127.0.0.1 - - [08/Aug/2019 10:58:41] "GET /pedigrees HTTP/1.1" 502 -
2019-08-08 10:58:41 127.0.0.1 - - [08/Aug/2019 10:58:41] "GET /favicon.ico HTTP/1.1" 403 -

I cannot locate the mounts under ~/Library/Containers

@dorneanu
Copy link

@dorneanu dorneanu commented Aug 13, 2019

As @metaskills commented:

CONFIRMED! Setting static_url_path=None in local_apigw_service.py does allow /{proxy+} to work.

This did not work for me. :( My version is:

$ sam --version
$ SAM CLI, version 0.19.0

@nevtum
Copy link

@nevtum nevtum commented Dec 21, 2019

By adding a root endpoint and another separate proxy endpoint to the SAM template I was able to get it to work:

...
Resources:
  MyFunction:
    Properties:
      CodeUri: MyFunction
      Events:
        RootEndpoint:
          Properties:
            Method: any
            Path: /
          Type: Api
        EverythingElse:
          Properties:
            Method: any
            Path: /{proxy+}
          Type: Api
      Handler: app.lambda_handler
      Runtime: python3.7
    Type: AWS::Serverless::Function

It seems like this convention of configuring multiple events for the same handler is done this way in other frameworks such as Zappa and Serverless (see the serverless.yml from this link).

@c2tarun
Copy link
Contributor

@c2tarun c2tarun commented Aug 14, 2020

Solution provided by @nevtum works for / path. Thanks @nevtum.
I am closing this issue, if anyone have questions please feel free to re-open.

@c2tarun c2tarun closed this Aug 14, 2020
@Kordstan
Copy link

@Kordstan Kordstan commented Oct 13, 2020

I am using CDK to create the apigateway and adding ResourceBase.addProxy and setting the anyMethod to true worked for me and I dont get the Missing Authentication...

@abecks
Copy link

@abecks abecks commented Oct 22, 2020

The solution provided by @nevtum does not work while also using the static assets option by either specifying -s manually or having a public folder present in the SAM directory.

Any ideas on a static assets workaround? @c2tarun I think this should be reopened

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet