entry point hangs if authorizer raise Exception

[ZeeD]

According to https://www.serverless.com/blog/strategies-implementing-user-authentication-serverless-applications#lambda-custom-authorizers I can define a custom handler as an authorizer for my endpoints.

As I'm using python I looked for what the authorizer behavior should be and found at https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/blob/0f7f3d933741a48c08c85feff267793f60b61a60/blueprints/python/api-gateway-authorizer-python.py#L29 that I should define a function that shoud raise Exception if the user is not recognized, or return a policy with the right autorizations otherwise.

But if I have a .yaml with

service: info
frameworkVersion: '2'
provider:
  name: aws
  runtime: python3.8
  lambdaHashingVersion: 20201221
  apiGateway:
    shouldStartNameWithService: true

functions:
  foo:
    handler: foo
    events:
      - http:
        path: /foo
        method: get
        authorizer: auth
  auth:
    handler: auth

plugins:
  - serverless-offline

where I have the handler.py as

def foo(event, context):
    return {
        'statusCode': 200,
        'body': 'body'
    }

def auth(event, context):
    raise Exception('Unauthorized')

I can see that sls offline start the endpoint, but the rest call hangs.
In the logs I see

offline: Starting Offline: dev/us-east-1.
offline: Offline [http for lambda] listening on http://localhost:3002
offline: Function names exposed for local invocation by aws-sdk:
           * foo: info-dev-foo
           * auth: info-dev-auth
offline: Configuring Authorization: /foo auth

   ┌──────────────────────────────────────────────────────────────────────────────────┐
   │                                                                                  │
   │   GET | http://localhost:3000/dev/foo                                            │
   │   POST | http://localhost:3000/2015-03-31/functions/foo/invocations              │
   │                                                                                  │
   └──────────────────────────────────────────────────────────────────────────────────┘

offline: [HTTP] server ready: http://localhost:3000 🚀
offline: 
offline: Enter "rp" to replay the last request

offline: Running Authorization function for get /dev/foo (λ: auth)
Traceback (most recent call last):
  File "C:\Users\vito.detullio\Desktop\workspace-poste\custom-services-sdp\node_modules\serverless-offline\dist\lambda\handler-runner\python-runner\invoke.py", line 101, in <module>

    result = handler(input['event'], context)

  File ".\handler.py", line 8, in auth

    raise Exception('Unauthorized')
Exception: Unauthorized

Instead I expected a 401 response

Environment

sls --version
Framework Core: 2.28.3
Plugin: 4.4.3
SDK: 2.3.2
Components: 3.7.2

[eml-nx]

Hi! did you find the solution?

[ZeeD]

Nope
as a workaround I forced the "auth logic" inside the "business logic" of the handler, and avoided the authorizer: auth definition in the .yaml

[thejuan]

Same issue here after upgrading to latest version and useWorkerThreads:true
Maybe related to #1143

Authorizer blueprints show that this is allowed to generate a 401

Offline: 8.3.1
Framework Core: 2.65.0 (local)
Plugin: 5.5.1
SDK: 4.3.0
Components: 3.17.2

[OxonianCambion]

Hi!

I don't think this is fixed for Python and the non-in-process runners issue is a red herring:

I've encountered the same issue with serverless-offline 8.8.0 & v9.0.0.

My serverless.yml:

service: info

frameworkVersion: '3'

provider:
  name: aws
  runtime: python3.8
  stage: local

functions:
  hello:
    handler: handler.hello
    events:
      - http:
          path: hello
          method: get
          authorizer: auth

  auth:
    handler: handler.auth

plugins:
  - serverless-off

and handler.py:

def hello(event, context):
    response = {
        "statusCode": 200,
        "body": 'body'
    }

    return response

def auth(event, context):
    raise Exception('Unauthorized')

gives the same result, even if I use in-process runners or not.

I get the following, whether I use serverless offline or serverless offline --useInProcess
I get the same for version 8.8.0, with or without --useWorkerThreads.

Running Authorization function for get /local/hello (λ: auth)
Traceback (most recent call last):
  File "/test/node_modules/serverless-offline/src/lambda/handler-runner/python-runner/invoke.py", line 97, in <module>

    result = handler(input['event'], context)
  File "/test/./handler.py", line 10, in auth
    raise Exception('Unauthorized')
Exception: Unauthorized

If I use Docker with serverless offline --useDocker, it gives a slightly different result, but the underlying issue is still there:

Running Authorization function for get /local/hello (λ: auth)
✖ Lambda API listening on port 9001...

✖ START RequestId: cd44966f-4f39-1cf9-27a0-d74cf3bc8bf5 Version: $LATEST

✖ [ERROR] Exception: Unauthorized
  Traceback (most recent call last):
    File "/var/task/handler.py", line 10, in auth
      raise Exception('Unauthorized')

Authorization response did not include a principalId: (λ: auth)
✖ END RequestId: cd44966f-4f39-1cf9-27a0-d74cf3bc8bf5
  REPORT RequestId: cd44966f-4f39-1cf9-27a0-d74cf3bc8bf5        Init Duration: 105.09 ms        Duration: 2.88 ms       Billed Duration: 3 ms   Memory Size: 1024 MB  Max Memory Used: 37 MB

Note that in this case, there is actually a response, rather than a hang, but it's not a 401:

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "No principalId set on the Response"
}

Environment:

Framework Core: 3.21.0 (local)
Plugin: 6.2.2
SDK: 4.3.2

[dnalborczyk]

the docs are not really clear about this and need some updates: the flags useInProcess, useWorkerThreads, useChildProcesses are only available for node.js runtimes.

@OxonianCambion could you open a new issue if you are still experiencing problems?

[OxonianCambion]

Ah, so this issue is (somewhat) unrelated to #1319 .
I'll raise a new issue for the Exception problem here and leave you to manage the documentation about the flags.