Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REST API authorizer validation only allows for one identitySource header #1674

Open
kevinhankens opened this issue Mar 23, 2023 · 3 comments
Open

REST API authorizer validation only allows for one identitySource header #1674

kevinhankens opened this issue Mar 23, 2023 · 3 comments

Comments

@kevinhankens
Copy link
Contributor

kevinhankens commented Mar 23, 2023
edited

Bug Report

Greetings! I have found that when validating REST API authorizers it only allows for one identitySource header. For caching, multiple headers are allowed.

According to the REST API docs:

In this case, your identitySource could contain multiple entries for your policy cache.

Current Behavior

Using something like the following will fail to start:

    events:
      - http:
          path: api/v1/endpoint
          method: post
          authorizer:
            name: custom-authorizer
            type: request
            resultTtlInSeconds: 3600
            identitySource: method.request.header.Authorization, method.request.header.AnotherHeader

Errors with:

Error: Serverless Offline only supports retrieving tokens from headers and querystring parameters (λ: custom-authorizer)

Sample Code

Here's a link to the code

Expected behavior/code

The above example should start offline.

Environment

  • serverless version: 3.28.1
  • serverless-offline version: 12.0.4

Possible Solution

diff --git src/events/http/createAuthScheme.js src/events/http/createAuthScheme.js
index 71b56a70..37447aa0 100644
--- src/events/http/createAuthScheme.js
+++ src/events/http/createAuthScheme.js
@@ -270,7 +270,8 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
     authorizerOptions.type !== 'request' ||
     authorizerOptions.identitySource
   ) {
-    const headerRegExp = /^(method.|\$)request.header.((?:\w+-?)+\w+)$/
+    // Only validate the first of N possible headers.
+    const headerRegExp = /^(method.|\$)request.header.((?:\w+-?)+\w+).*$/
     const queryStringRegExp =
       /^(method.|\$)request.querystring.((?:\w+-?)+\w+)$/

Additional context/Screenshots
@kevinhankens kevinhankens mentioned this issue Mar 23, 2023
Merged
@kevinhankens
Copy link
Contributor Author

Greetings! Any chance of taking a look at this and the accompanying PR? We currently have to use a odd workflow to patch this for local development. Would be really helpful to get some movement on this. Thanks in advance!

@kevinhankens
Copy link
Contributor Author

Hello again 😉 Kindly asking for assistance with this one.

@EhsanSepehriNasab
Copy link

Amazing Work @kevinhankens! Thanks for fixing this.

I think this issue should be closed now. For someone who has this issue in serverless offline: You could fix this problem in a tricky way like adding the isOffline variable to your environment and passing only one header to identifysource.

 identitySource: conf(GlobalConfig, 'IS_OFFLINE', false)
              ? 'method.request.header.x-api-key'
              : 'method.request.header.x-api-key, method.request.header.x-secret-key',

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevinhankens @EhsanSepehriNasab