Fix dbAuth on AWS Lambda (#5474)

* queryStringParameters can be null in AWS Lambda * Allow cookie to be capitalized * Make cookie vs. Cookie distinction once in DbAuthHandler * Extract header handling into separate function * Missed another semicolon... * Fix linter errors, add extractCookie in one more place Co-authored-by: Rob Cameron <cannikin@fastmail.com>
redwoodjs · Jun 2, 2022 · dbc0989 · dbc0989
1 parent d348e50
commit dbc0989
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/packages/api/src/functions/dbAuth/DbAuthHandler.ts b/packages/api/src/functions/dbAuth/DbAuthHandler.ts
@@ -13,7 +13,7 @@ import {
 import { normalizeRequest } from '../../transforms'
 
 import * as DbAuthError from './errors'
-import { decryptSession, getSession } from './shared'
+import { decryptSession, extractCookie, getSession } from './shared'
 
 interface DbAuthHandlerOptions {
   /**
@@ -156,6 +156,7 @@ export class DbAuthHandler {
   event: APIGatewayProxyEvent
   context: LambdaContext
   options: DbAuthHandlerOptions
+  cookie: string | undefined
   params: Params
   db: PrismaClient
   dbAccessor: any
@@ -220,6 +221,7 @@ export class DbAuthHandler {
     this.event = event
     this.context = context
     this.options = options
+    this.cookie = extractCookie(this.event)
 
     this._validateOptions()
 
@@ -237,9 +239,7 @@ export class DbAuthHandler {
     }
 
     try {
-      const [session, csrfToken] = decryptSession(
-        getSession(this.event.headers['cookie'])
-      )
+      const [session, csrfToken] = decryptSession(getSession(this.cookie))
       this.session = session
       this.sessionCsrfToken = csrfToken
     } catch (e) {
@@ -791,8 +791,7 @@ export class DbAuthHandler {
   // figure out which auth method we're trying to call
   _getAuthMethod() {
     // try getting it from the query string, /.redwood/functions/auth?method=[methodName]
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    let methodName = this.event.queryStringParameters!.method as AuthMethodNames
+    let methodName = this.event.queryStringParameters?.method as AuthMethodNames
 
     if (!DbAuthHandler.METHODS.includes(methodName) && this.params) {
       // try getting it from the body in JSON: { method: [methodName] }

diff --git a/packages/api/src/functions/dbAuth/shared.ts b/packages/api/src/functions/dbAuth/shared.ts
@@ -3,6 +3,12 @@ import CryptoJS from 'crypto-js'
 
 import * as DbAuthError from './errors'
 
+// Extracts the cookie from an event, handling lower and upper case header
+// names.
+export const extractCookie = (event: APIGatewayProxyEvent) => {
+  return event.headers.cookie || event.headers.Cookie
+}
+
 // decrypts the session cookie and returns an array: [data, csrf]
 export const decryptSession = (text: string | null) => {
   if (!text || text.trim() === '') {
@@ -44,9 +50,9 @@ export const getSession = (text?: string) => {
 // Convenience function to get session, decrypt, and return session data all
 // at once. Accepts the `event` argument from a Lambda function call.
 export const dbAuthSession = (event: APIGatewayProxyEvent) => {
-  if (event.headers.cookie) {
+  if (extractCookie(event)) {
     const [session, _csrfToken] = decryptSession(
-      getSession(event.headers.cookie)
+      getSession(extractCookie(event))
     )
     return session
   } else {