Amazon web services AWS无服务器自定义jwt授权人lambda set cors响应
我在aws上部署了一个RESTAPI,它使用的是无服务器框架 现在,我在其中创建了一个简单的jwt令牌自定义令牌授权器来授权我的端点 这是我在serverless.yml中的路由定义-Amazon web services AWS无服务器自定义jwt授权人lambda set cors响应,amazon-web-services,cors,aws-api-gateway,serverless-framework,lambda-authorizer,Amazon Web Services,Cors,Aws Api Gateway,Serverless Framework,Lambda Authorizer,我在aws上部署了一个RESTAPI,它使用的是无服务器框架 现在,我在其中创建了一个简单的jwt令牌自定义令牌授权器来授权我的端点 这是我在serverless.yml中的路由定义- loginUser: handler: src/controllers/auth.loginUser events: - http: path: auth/local/login method: POST cors: true tokenVerif
loginUser:
handler: src/controllers/auth.loginUser
events:
- http:
path: auth/local/login
method: POST
cors: true
tokenVerifier:
handler: ./src/helpers/tokenVerifier.auth
userProfile:
handler: src/controllers/users.me
events:
- http:
path: user/me
method: GET
authorizer: tokenVerifier
cors: true
这是我的自定义授权器tokenVerifier函数定义-
const jwt = require('jsonwebtoken');
// Policy helper function
const generatePolicy = (principalId, effect, resource) => {
const authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
const policyDocument = {};
policyDocument.Version = '2012-10-17';
policyDocument.Statement = [];
const statementOne = {};
statementOne.Action = 'execute-api:Invoke';
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
return authResponse;
};
const auth = (event, context, callback) => {
// check header or url parameters or post parameters for token
const token = event.authorizationToken;
if (!token) return callback(null, 'Unauthorized');
// verifies secret and checks exp
jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
if (err) return callback(null, 'Unauthorized');
// if everything is good, save to request for use in other routes
return callback(null, generatePolicy(decoded._id, 'Allow', event.methodArn));
});
};
export {
auth
};
此外,我还创建了一个response helper实用程序,我在任何地方都可以使用它向用户返回响应-
const responseHelper = (response, context, callback, status = 404) => {
eventLogger(["----RESPONSE DATA----", response], context.functionName);
callback(null, {
statusCode: status,
body: JSON.stringify(response),
headers: {
"Access-Control-Allow-Origin" : "*", // Required for CORS support to work
"Access-Control-Allow-Credentials" : true, // Required for cookies, authorization headers with HTTPS
"Content-Type": "application/json"
}
});
};
因此,正如您所看到的,我已经将cors:true添加到路由yml中,并且还将cors头添加到我的所有lambda响应中。
在谷歌上,我遇到了答案,我试图将这些添加到默认的4xx、默认的5xx和过期的令牌响应中
但是,我还是犯了同样的错误-
Access to XMLHttpRequest at '<url>/dev/user/me' from origin '<site_url>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
那么,我是不是遗漏了什么?或者有人可以在这里帮助查找并解决此问题吗 假设您正在执行以下操作,则应将资源部分添加到serverless.yml中:
此外,我将首先在或任何其他类似工具中测试API,以确保在处理CORS之前一切都按预期工作
resources:
Resources:
# This response is needed for custom authorizer failures cors support ¯\_(ツ)_/¯
GatewayResponse:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: 'ApiGatewayRestApi'
StatusCode: '401'
AuthFailureGatewayResponse:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: 'ApiGatewayRestApi'
StatusCode: '401'