仅使用Lambda授权者在代理的API网关请求上添加标头 [英] Only add header on proxied API Gateway request with Lambda authorizer
问题描述
目前,我基于用于服务器HTML的AWS ApiGateway + Lambda构想一个架构,该架构取决于用户是否经过了正确的身份验证.我正在尝试实现此Cognito和自定义Lambda授权方.我希望我的Lambda始终返回HTML,并根据传递的cookie,为已登录/已退出状态生成HTML.在我看来,最好有一个单独的授权者来执行令牌验证,并将标头传递给生成Lambda的HTML.
At the moment I have an architecture in mind with AWS ApiGateway + Lambda for server HTML based on if a user is properly authenticated or not. I am trying to achieve this Cognito and a custom Lambda Authorizer. I'd like my Lambda to always return HTML and based on the cookie that is passed, generate HTML for a logged in / logged out state. In my mind that would be ideal to have a separate authorizer that does the token validation and pass a header to the HTML generating Lambda.
一个人怎么能做到这一点?
How can one achieve this?
我正在使用AWS Sam模板定义我的CF堆栈.查看我当前的模板:
I'm using AWS Sam template to define my CF stack. See my current template:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: A Lambda function for rendering HTML pages with authentication
Resources:
WebAppGenerator:
Type: 'AWS::Serverless::Function'
Properties:
Handler: app.handler
Runtime: nodejs12.x
CodeUri: .
Description: A Lambda that generates HTML pages dynamically
MemorySize: 128
Timeout: 20
Events:
ProxyRoute:
Type: Api
Properties:
RestApiId: !Ref WebAppApi
Path: /{proxy+}
Method: GET
WebAppApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
DefaultAuthorizer: WebTokenAuthorizer
Authorizers:
WebTokenAuthorizer:
FunctionArn: !GetAtt WebAppTokenAuthorizer.Arn
WebAppTokenAuthorizer:
Type: AWS::Serverless::Function
Properties:
CodeUri: .
Handler: authorizer.handler
Runtime: nodejs12.x
在我的授权者(打字稿)中,我正在考虑生成一个始终具有允许"作用的策略.但是,如果缺少授权令牌(尚未基于cookie),则它已经返回了403. 参见:
In my authorizer (Typescript) I was thinking of generating a policy that always has an 'allow' effect. But if an authorization token (not cookie-based yet) is missing, it's already returning a 403. See:
function generatePolicy(principalId: string, isAuthorized: boolean, resource): APIGatewayAuthorizerResult {
const result: APIGatewayAuthorizerResult = {
principalId,
policyDocument: {
Version: '2012-10-17',
Statement: []
}
};
if (resource) {
result.policyDocument.Statement[0] = {
Action: 'execute-api:Invoke',
Effect: 'Allow',
Resource: resource
};
}
result.context = {
isAuthorized
};
return result
}
推荐答案
使用Custom Authorizer,我不确定您提到的功能是否可以直接实现.
With Custom Authorizer, I'm not sure whether the functionality you mentioned is directly possible to achieve.
Can you check whether you can define a mapping template with content type text/html, following this guide? (Make sure your Lambda integration is not a proxy integration)
但是,如果您可以选择的话,有两种可行的替代方法.
However, there are two alternative approaches that would work, if it's an option to you.
- 使用API Gateway前端的AWS Cloudfront并配置错误响应以基于错误状态代码显示HTML.
- 使用Lambda层授权并决定响应.
这篇关于仅使用Lambda授权者在代理的API网关请求上添加标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!