Merge pull request #3187 from tgjorgoski/fix-for-custom-claims

Fix for authorizer claims: multiple claims and custom property claims  (#3088)

lib/plugins/aws/deploy/compile/events/apiGateway/lib/method/index.js

@@ -45,14 +45,24 @@ module.exports = {
       let extraCognitoPoolClaims;
       if (event.http.authorizer) {
         const claims = event.http.authorizer.claims || [];
-        extraCognitoPoolClaims = _.map(claims, claim =>
-            `"${claim}": "$context.authorizer.claims.${claim}",`
-        );
+        extraCognitoPoolClaims = _.map(claims, (claim) => {
+          if (typeof claim === 'string') {
+            const colonIndex = claim.indexOf(':');
+            if (colonIndex !== -1) {
+              const subClaim = claim.substring(colonIndex + 1);
+              return `"${subClaim}": "$context.authorizer.claims['${claim}']"`;
+            }
+          }
+          return `"${claim}": "$context.authorizer.claims.${claim}"`;
+        });
       }
       const requestTemplates = template.Properties.Integration.RequestTemplates;
       _.forEach(requestTemplates, (value, key) => {
-        requestTemplates[key] =
-          value.replace('extraCognitoPoolClaims', extraCognitoPoolClaims || '');
+        let claimsString = '';
+        if (extraCognitoPoolClaims && extraCognitoPoolClaims.length > 0) {
+          claimsString = extraCognitoPoolClaims.join(',').concat(',');
+        }
+        requestTemplates[key] = value.replace('extraCognitoPoolClaims', claimsString);
       });
 
       this.apiGatewayMethodLogicalIds.push(methodLogicalId);

lib/plugins/aws/deploy/compile/events/apiGateway/lib/method/index.test.js

@@ -219,14 +219,75 @@ describe('#compileMethods()', () => {
     ];
 
     return awsCompileApigEvents.compileMethods().then(() => {
-      expect(
-        awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate
-          .Resources.ApiGatewayMethodUsersCreatePost.Properties
-          .Integration.RequestTemplates['application/json']
-          ).to.match(/email/);
+      const jsonRequestTemplatesString = awsCompileApigEvents.serverless.service.provider
+          .compiledCloudFormationTemplate.Resources.ApiGatewayMethodUsersCreatePost.Properties
+          .Integration.RequestTemplates['application/json'];
+      const cognitoPoolClaimsRegex = /"cognitoPoolClaims"\s*:\s*(\{[^}]*\})/;
+      const cognitoPoolClaimsString = jsonRequestTemplatesString.match(cognitoPoolClaimsRegex)[1];
+      const cognitoPoolClaims = JSON.parse(cognitoPoolClaimsString);
+      expect(cognitoPoolClaims.email).to.equal('$context.authorizer.claims.email');
     });
   });
 
+  it('should set multiple claims for a cognito user pool', () => {
+    awsCompileApigEvents.validated.events = [
+      {
+        functionName: 'First',
+        http: {
+          authorizer: {
+            name: 'authorizer',
+            arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ',
+            claims: ['email', 'gender'],
+          },
+          integration: 'AWS',
+          path: 'users/create',
+          method: 'post',
+        },
+      },
+    ];
+
+    return awsCompileApigEvents.compileMethods().then(() => {
+      const jsonRequestTemplatesString = awsCompileApigEvents.serverless.service.provider
+          .compiledCloudFormationTemplate.Resources.ApiGatewayMethodUsersCreatePost.Properties
+          .Integration.RequestTemplates['application/json'];
+      const cognitoPoolClaimsRegex = /"cognitoPoolClaims"\s*:\s*(\{[^}]*\})/;
+      const cognitoPoolClaimsString = jsonRequestTemplatesString.match(cognitoPoolClaimsRegex)[1];
+      const cognitoPoolClaims = JSON.parse(cognitoPoolClaimsString);
+      expect(cognitoPoolClaims.email).to.equal('$context.authorizer.claims.email');
+      expect(cognitoPoolClaims.gender).to.equal('$context.authorizer.claims.gender');
+    });
+  });
+
+  it('should properly set claims for custom properties inside the cognito user pool', () => {
+    awsCompileApigEvents.validated.events = [
+      {
+        functionName: 'First',
+        http: {
+          authorizer: {
+            name: 'authorizer',
+            arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ',
+            claims: ['email', 'custom:score'],
+          },
+          integration: 'AWS',
+          path: 'users/create',
+          method: 'post',
+        },
+      },
+    ];
+
+    return awsCompileApigEvents.compileMethods().then(() => {
+      const jsonRequestTemplatesString = awsCompileApigEvents.serverless.service.provider
+          .compiledCloudFormationTemplate.Resources.ApiGatewayMethodUsersCreatePost.Properties
+          .Integration.RequestTemplates['application/json'];
+      const cognitoPoolClaimsRegex = /"cognitoPoolClaims"\s*:\s*(\{[^}]*\})/;
+      const cognitoPoolClaimsString = jsonRequestTemplatesString.match(cognitoPoolClaimsRegex)[1];
+      const cognitoPoolClaims = JSON.parse(cognitoPoolClaimsString);
+      expect(cognitoPoolClaims.email).to.equal('$context.authorizer.claims.email');
+      expect(cognitoPoolClaims.score).to.equal('$context.authorizer.claims[\'custom:score\']');
+    });
+  });
+
+
   it('should replace the extra claims in the template if there are none', () => {
     awsCompileApigEvents.validated.events = [
       {