仅使用Lambda授权者在代理的API网关请求上添加标头 [英] Only add header on proxied API Gateway request with Lambda authorizer

问题描述

目前，我基于用于服务器HTML的AWS ApiGateway + Lambda构想一个架构，该架构取决于用户是否经过了正确的身份验证.我正在尝试实现此Cognito和自定义Lambda授权方.我希望我的Lambda始终返回HTML，并根据传递的cookie，为已登录/已退出状态生成HTML.在我看来，最好有一个单独的授权者来执行令牌验证，并将标头传递给生成Lambda的HTML.

At the moment I have an architecture in mind with AWS ApiGateway + Lambda for server HTML based on if a user is properly authenticated or not. I am trying to achieve this Cognito and a custom Lambda Authorizer. I'd like my Lambda to always return HTML and based on the cookie that is passed, generate HTML for a logged in / logged out state. In my mind that would be ideal to have a separate authorizer that does the token validation and pass a header to the HTML generating Lambda.

一个人怎么能做到这一点?

How can one achieve this?

我正在使用AWS Sam模板定义我的CF堆栈.查看我当前的模板:

I'm using AWS Sam template to define my CF stack. See my current template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: A Lambda function for rendering HTML pages with authentication
Resources:
  WebAppGenerator:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: app.handler
      Runtime: nodejs12.x
      CodeUri: .
      Description: A Lambda that generates HTML pages dynamically
      MemorySize: 128
      Timeout: 20
      Events:
        ProxyRoute:
          Type: Api
          Properties:
            RestApiId: !Ref WebAppApi
            Path: /{proxy+}
            Method: GET
  WebAppApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Auth:
        DefaultAuthorizer: WebTokenAuthorizer
        Authorizers:
          WebTokenAuthorizer:
            FunctionArn: !GetAtt WebAppTokenAuthorizer.Arn
  WebAppTokenAuthorizer:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: .
      Handler: authorizer.handler
      Runtime: nodejs12.x

在我的授权者(打字稿)中，我正在考虑生成一个始终具有允许"作用的策略.但是，如果缺少授权令牌(尚未基于cookie)，则它已经返回了403. 参见:

In my authorizer (Typescript) I was thinking of generating a policy that always has an 'allow' effect. But if an authorization token (not cookie-based yet) is missing, it's already returning a 403. See:

function generatePolicy(principalId: string, isAuthorized: boolean, resource): APIGatewayAuthorizerResult {
    const result: APIGatewayAuthorizerResult = {
        principalId,
        policyDocument: {
            Version: '2012-10-17',
            Statement: []
        }
    };

    if (resource) {
        result.policyDocument.Statement[0] = {
            Action: 'execute-api:Invoke',
            Effect: 'Allow',
            Resource: resource
        };
    }

    result.context = {
        isAuthorized
    };

    return result
}

推荐答案

使用Custom Authorizer，我不确定您提到的功能是否可以直接实现.

With Custom Authorizer, I'm not sure whether the functionality you mentioned is directly possible to achieve.

是否可以按照

Can you check whether you can define a mapping template with content type text/html, following this guide? (Make sure your Lambda integration is not a proxy integration)

但是，如果您可以选择的话，有两种可行的替代方法.

However, there are two alternative approaches that would work, if it's an option to you.

• 使用API​​ Gateway前端的AWS Cloudfront并配置错误响应以基于错误状态代码显示HTML.
• 使用Lambda层授权并决定响应.

这篇关于仅使用Lambda授权者在代理的API网关请求上添加标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！