This is a working example of a Lambda function (index.handler
) that validates a JWT token by checking its integrity against a public key and its expiration (this example checks iat + duration
instead of exp
for personal reasons).
-
Clone this repo (duh!).
-
Run
npm install
to get the dependencies:moment
andjsonwebtoken
. -
Create a RSA key pair for your tests -- more instructions here.
-
Run
sign.js
to create a valid signed token using your private key and store it in a file (token.jwt
). -
Run
test.js
to test the token against your public key. -
Alternatively, run
tamper.js
to create a valid signed token with another private key so you can see it fail.
API Gateway Custom Authorizers return an AWS policy document to be interpreted by the API call. In order to check if the authorizer would let a call proceed, you must check the response object: policyDocument.Statement.Effect
, which can be either Allow
or Deny
.