Added websockets authorizer support

docs/providers/aws/events/websocket.md

@@ -61,7 +61,8 @@ service: serverless-ws-test
 provider:
   name: aws
   runtime: nodejs8.10
-  websocketApiRouteSelectionExpression: $request.body.action # custom routes are selected by the value of the action property in the body
+  websocketsApiName: custom-websockets-api-name
+  websocketsApiRouteSelectionExpression: $request.body.action # custom routes are selected by the value of the action property in the body
 
 functions:
   connectionHandler:
@@ -82,31 +83,73 @@ functions:
           route: foo # will trigger if $request.body.action === "foo"
 ```
 
-## Protect your Websocket backend
-To protect your websocket connection use an authorizer function on the `$connect`-route handler. It is only possible to use an authorizer function on this route, as this is the only point in time, where it is possible to prevent the ws-client to connect to our backend at all. As the client is not able to connect, the client can also not use the other websocket routes.
+## Using Authorizers
+You can enable an authorizer for your connect route by specifying the `authorizer` key in the websocket event definition.
 
-It is also possible to return a "500" in the connection handler, to prevent the ws-client from connecting.
+**Note:** AWS only supports authorizers for the `$connect` route.
 
-See this example:
+```yml
+functions:
+  connectHandler:
+    handler: handler.connectHandler
+    events:
+      - websocket:
+          route: $connect
+          authorizer: auth # references the auth function below
+  auth:
+    handler: handler.auth
+```
 
-```js
-module.exports.connectionHandler = async (event, context) => {
-
-  if(event.requestContext.routeKey === '$connect'){
-    console.log("NEW CONNECTION INCOMMING");
-    if (event.queryStringParameters.token !== 'abc') {
-      console.log('Connection blocked');
-      return {
-        statusCode: 500 // currently it is not possible to respond with a 4XX
-      };
-    }
-  }
+Or, if your authorizer function is not managed by this service, you can provide an arn instead:
 
-  console.log('Connection ok');
-  return {
-    statusCode: 200
-  };
-}
+```yml
+functions:
+  connectHandler:
+    handler: handler.connectHandler
+    events:
+      - websocket:
+          route: $connect
+          authorizer: arn:aws:lambda:us-east-1:1234567890:function:auth
+```
+
+By default, the `identitySource` property is set to `route.request.header.Auth`, meaning that your request must include the auth token in the `Auth` header of the request. You can overwrite this by specifying your own `identitySource` configuration:
+
+
+```yml
+functions:
+  connectHandler:
+    handler: handler.connectHandler
+    events:
+      - websocket:
+          route: $connect
+          authorizer:
+            name: auth
+            identitySource:
+              - 'route.request.header.Auth'
+              - 'route.request.querystring.Auth'
+
+  auth:
+    handler: handler.auth
+```
+With the above configuration, you can now must pass the auth token in both the `Auth` query string as well as the `Auth` header.
+
+You can also supply an ARN instead of the name when using the object syntax for the authorizer:
+
+```yml
+functions:
+  connectHandler:
+    handler: handler.connectHandler
+    events:
+      - websocket:
+          route: $connect
+          authorizer:
+            arn: arn:aws:lambda:us-east-1:1234567890:function:auth
+            identitySource:
+              - 'route.request.header.Auth'
+              - 'route.request.querystring.Auth'
+
+  auth:
+    handler: handler.auth
 ```
 
 ## Send a message to a ws-client
@@ -142,4 +185,4 @@ module.exports.defaultHandler = async (event, context) => {
     statusCode: 200
   };
 }
-```
+```

docs/providers/aws/guide/serverless.yml.md

@@ -30,6 +30,8 @@ provider:
   region: ${opt:region, 'us-east-1'} # Overwrite the default region used. Default is us-east-1
   stackName: custom-stack-name # Use a custom name for the CloudFormation stack
   apiName: custom-api-name # Use a custom name for the API Gateway API
+  websocketsApiName: custom-websockets-api-name # Use a custom name for the websockets API
+  websocketsApiRouteSelectionExpression: $request.body.route # custom route selection expression
   profile: production # The default profile to use with this service
   memorySize: 512 # Overwrite the default memory size. Default is 1024
   timeout: 10 # The default is 6 seconds. Note: API Gateway current maximum is 30 seconds
@@ -175,6 +177,12 @@ functions:
             identityValidationExpression: someRegex
       - websocket:
           route: $connect
+          authorizer:
+            # name: auth    NOTE: you can either use "name" or arn" properties
+            arn: arn:aws:lambda:us-east-1:1234567890:function:auth
+            identitySource:
+              - 'route.request.header.Auth'
+              - 'route.request.querystring.Auth'
       - s3:
           bucket: photos
           event: s3:ObjectCreated:*

lib/plugins/aws/lib/naming.js

@@ -196,6 +196,10 @@ module.exports = {
     return 'WebsocketsDeploymentStage';
   },
 
+  getWebsocketsAuthorizerLogicalId(functionName) {
+    return `${this.getNormalizedAuthorizerName(functionName)}WebsocketsAuthorizer`;
+  },
+
   // API Gateway
   getApiGatewayName() {
     if (this.provider.serverless.service.provider.apiName &&

lib/plugins/aws/lib/naming.test.js

@@ -283,6 +283,13 @@ describe('#naming()', () => {
     });
   });
 
+  describe('#getWebsocketsAuthorizerLogicalId()', () => {
+    it('should return the websockets authorizer logical id', () => {
+      expect(sdk.naming.getWebsocketsAuthorizerLogicalId('auth'))
+        .to.equal('AuthWebsocketsAuthorizer');
+    });
+  });
+
   describe('#getApiGatewayName()', () => {
     it('should return the composition of stage & service name if custom name not provided', () => {
       serverless.service.service = 'myService';

lib/plugins/aws/package/compile/events/websockets/index.js

@@ -9,6 +9,7 @@ const compilePermissions = require('./lib/permissions');
 const compileRoutes = require('./lib/routes');
 const compileDeployment = require('./lib/deployment');
 const compileStage = require('./lib/stage');
+const compileAuthorizers = require('./lib/authorizers');
 
 class AwsCompileWebsockets {
   constructor(serverless, options) {
@@ -21,6 +22,7 @@ class AwsCompileWebsockets {
       validate,
       compileApi,
       compileIntegrations,
+      compileAuthorizers,
       compilePermissions,
       compileRoutes,
       compileDeployment,
@@ -38,6 +40,7 @@ class AwsCompileWebsockets {
         return BbPromise.bind(this)
           .then(this.compileApi)
           .then(this.compileIntegrations)
+          .then(this.compileAuthorizers)
           .then(this.compilePermissions)
           .then(this.compileRoutes)
           .then(this.compileDeployment)

lib/plugins/aws/package/compile/events/websockets/index.test.js

@@ -35,6 +35,7 @@ describe('AwsCompileWebsocketsEvents', () => {
   describe('#constructor()', () => {
     let compileApiStub;
     let compileIntegrationsStub;
+    let compileAuthorizersStub;
     let compilePermissionsStub;
     let compileRoutesStub;
     let compileDeploymentStub;
@@ -45,6 +46,8 @@ describe('AwsCompileWebsocketsEvents', () => {
         .stub(awsCompileWebsocketsEvents, 'compileApi').resolves();
       compileIntegrationsStub = sinon
         .stub(awsCompileWebsocketsEvents, 'compileIntegrations').resolves();
+      compileAuthorizersStub = sinon
+        .stub(awsCompileWebsocketsEvents, 'compileAuthorizers').resolves();
       compilePermissionsStub = sinon
         .stub(awsCompileWebsocketsEvents, 'compilePermissions').resolves();
       compileRoutesStub = sinon
@@ -58,6 +61,7 @@ describe('AwsCompileWebsocketsEvents', () => {
     afterEach(() => {
       awsCompileWebsocketsEvents.compileApi.restore();
       awsCompileWebsocketsEvents.compileIntegrations.restore();
+      awsCompileWebsocketsEvents.compileAuthorizers.restore();
       awsCompileWebsocketsEvents.compilePermissions.restore();
       awsCompileWebsocketsEvents.compileRoutes.restore();
       awsCompileWebsocketsEvents.compileDeployment.restore();
@@ -91,7 +95,8 @@ describe('AwsCompileWebsocketsEvents', () => {
           expect(validateStub.calledOnce).to.be.equal(true);
           expect(compileApiStub.calledAfter(validateStub)).to.be.equal(true);
           expect(compileIntegrationsStub.calledAfter(compileApiStub)).to.be.equal(true);
-          expect(compilePermissionsStub.calledAfter(compileIntegrationsStub)).to.be.equal(true);
+          expect(compileAuthorizersStub.calledAfter(compileIntegrationsStub)).to.be.equal(true);
+          expect(compilePermissionsStub.calledAfter(compileAuthorizersStub)).to.be.equal(true);
           expect(compileRoutesStub.calledAfter(compilePermissionsStub)).to.be.equal(true);
           expect(compileDeploymentStub.calledAfter(compileRoutesStub)).to.be.equal(true);
           expect(compileStageStub.calledAfter(compileDeploymentStub)).to.be.equal(true);

lib/plugins/aws/package/compile/events/websockets/lib/authorizers.js

@@ -0,0 +1,33 @@
+'use strict';
+
+const _ = require('lodash');
+const BbPromise = require('bluebird');
+
+module.exports = {
+  compileAuthorizers() {
+    this.validated.events.forEach(event => {
+      if (!event.authorizer) {
+        return;
+      }
+      const websocketsAuthorizerLogicalId = this.provider.naming
+        .getWebsocketsAuthorizerLogicalId(event.authorizer.name);
+
+      _.merge(this.serverless.service.provider.compiledCloudFormationTemplate.Resources, {
+        [websocketsAuthorizerLogicalId]: {
+          Type: 'AWS::ApiGatewayV2::Authorizer',
+          Properties: {
+            ApiId: {
+              Ref: this.websocketsApiLogicalId,
+            },
+            Name: event.authorizer.name,
+            AuthorizerType: 'REQUEST',
+            AuthorizerUri: event.authorizer.uri,
+            IdentitySource: event.authorizer.identitySource,
+          },
+        },
+      });
+    });
+
+    return BbPromise.resolve();
+  },
+};

lib/plugins/aws/package/compile/events/websockets/lib/authorizers.test.js

@@ -0,0 +1,109 @@
+'use strict';
+
+const expect = require('chai').expect;
+const AwsCompileWebsocketsEvents = require('../index');
+const Serverless = require('../../../../../../../Serverless');
+const AwsProvider = require('../../../../../provider/awsProvider');
+
+describe('#compileAuthorizers()', () => {
+  let awsCompileWebsocketsEvents;
+
+  beforeEach(() => {
+    const serverless = new Serverless();
+    serverless.setProvider('aws', new AwsProvider(serverless));
+    serverless.service.provider.compiledCloudFormationTemplate = { Resources: {} };
+
+    awsCompileWebsocketsEvents = new AwsCompileWebsocketsEvents(serverless);
+
+    awsCompileWebsocketsEvents.websocketsApiLogicalId
+      = awsCompileWebsocketsEvents.provider.naming.getWebsocketsApiLogicalId();
+  });
+
+  it('should create an authorizer resource for routes with authorizer definition', () => {
+    awsCompileWebsocketsEvents.validated = {
+      events: [
+        {
+          functionName: 'First',
+          route: '$connect',
+          authorizer: {
+            name: 'auth',
+            uri: {
+              'Fn::Join': ['',
+                [
+                  'arn:',
+                  { Ref: 'AWS::Partition' },
+                  ':apigateway:',
+                  { Ref: 'AWS::Region' },
+                  ':lambda:path/2015-03-31/functions/',
+                  { 'Fn::GetAtt': ['AuthLambdaFunction', 'Arn'] },
+                  '/invocations',
+                ],
+              ],
+            },
+            identitySource: ['route.request.header.Auth'],
+          },
+        },
+      ],
+    };
+
+    return awsCompileWebsocketsEvents.compileAuthorizers().then(() => {
+      const resources = awsCompileWebsocketsEvents.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources;
+
+      expect(resources).to.deep.equal({
+        AuthWebsocketsAuthorizer: {
+          Type: 'AWS::ApiGatewayV2::Authorizer',
+          Properties: {
+            ApiId: {
+              Ref: 'WebsocketsApi',
+            },
+            Name: 'auth',
+            AuthorizerType: 'REQUEST',
+            AuthorizerUri: {
+              'Fn::Join': [
+                '',
+                [
+                  'arn:',
+                  {
+                    Ref: 'AWS::Partition',
+                  },
+                  ':apigateway:',
+                  {
+                    Ref: 'AWS::Region',
+                  },
+                  ':lambda:path/2015-03-31/functions/',
+                  {
+                    'Fn::GetAtt': [
+                      'AuthLambdaFunction',
+                      'Arn',
+                    ],
+                  },
+                  '/invocations',
+                ],
+              ],
+            },
+            IdentitySource: ['route.request.header.Auth'],
+          },
+        },
+      });
+    });
+  });
+
+  it('should NOT create an authorizer resource for routes with not authorizer definition', () => {
+    awsCompileWebsocketsEvents.validated = {
+      events: [
+        {
+          functionName: 'First',
+          route: '$connect',
+        },
+      ],
+    };
+
+    return awsCompileWebsocketsEvents.compileAuthorizers().then(() => {
+      const resources = awsCompileWebsocketsEvents.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources;
+
+      expect(resources).to.deep.equal({});
+    });
+  });
+});