Description
Bug Report
Current Behavior
When using a Custom Authorizer, the behaviour of serverless-offline differs from the deployed stack on AWS.
Sample Code
This is where we define the function event trigger. As it's clear to see, we expect a HTTP POST on /{stage}/dashboard/
- file: trailingSlash/index.ts
events: [{
http: {
method: 'post',
path: 'dashboard',
cors: true,
authorizer: 'auth',
}
}]Our custom authorizer generatePolicy method looks like this.
- file: auth/handler.js
const generatePolicy = (principalId: string, methodArn: string, role: string) => {
const allowedResources = [];
//arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-method/resource-path
const baseArn = methodArn.split(`/`, 2).join('/');
switch (role.toUpperCase()) {
case 'ADMIN':
allowedResources.push(`${baseArn}/*/*`)
break;
case 'USER':
allowedResources.push(`${baseArn}/*/dashboard/*`)
break;
default:
break;
}
const generatedPolicy = {
principalId: principalId,
policyDocument: {
Version: "2012-10-17",
Statement: [{
Action: "execute-api:Invoke",
Effect: "Allow",
Resource: [
...allowedResources,
]
}],
},
};
return generatedPolicy;
};We're basically generating the following policy to someone with the role "USER":
{
"principalId": "1234567890",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/*/dashboard/*"
]
}]
}
}Expected behavior/code
When testing locally using serverless-offline, fetching the endpoint http://localhost:3000/dev/dashboard/, the response is 403 Forbidden as the screenshot shows.
But when we deploy the stack to AWS, fetching the endpoint https://RANDOM.execute-api.us-east-1.amazonaws.com/dev/dashboard/, the result is 200 ok as its seen here.
Environment
serverlessversion: v2.53.0serverless-offlineversion: v8.0.0node.jsversion: v12.21.0OS: Linux Mint 19.1 Tessa
Additional context/Screenshots
We found this issue while doing the research The Fault in Our Stars, in which we explore how API Gateway Execute API Policy works under different conditions.
One researcher from our company opened the issue 1191 where he indicates another incorrectly behaviour by serverless-offline regarding the way it evaluates policies. It still lacks a response to this date.