Node.js API网关返回401,不返回';t调用自定义授权程序
我已经为一个API网关实现了一个自定义的“请求”类型授权器,它验证在“授权”头中传递的JWT令牌。我已经独立测试了lambda,它的工作原理与预期相符。我还将授权人附加到我的路由上,我可以在AWS控制台中进行测试-同样,一切似乎都正常(见图): 但是,当我尝试使用Node.js API网关返回401,不返回';t调用自定义授权程序,node.js,amazon-web-services,aws-lambda,aws-api-gateway,Node.js,Amazon Web Services,Aws Lambda,Aws Api Gateway,我已经为一个API网关实现了一个自定义的“请求”类型授权器,它验证在“授权”头中传递的JWT令牌。我已经独立测试了lambda,它的工作原理与预期相符。我还将授权人附加到我的路由上,我可以在AWS控制台中进行测试-同样,一切似乎都正常(见图): 但是,当我尝试使用授权标题中的令牌调用我的端点时,我总是收到未经授权的响应: { "errors": [ { "category": "ClientError", "code": "UNAUTHORIZED",
授权
标题中的令牌调用我的端点时,我总是收到未经授权的响应:
{
"errors": [
{
"category": "ClientError",
"code": "UNAUTHORIZED",
"detail": "Unauthorized",
"method": "GET",
"path": "/cases",
"requestId": "004eb254-a926-45ad-96a5-ce3527621c81",
"retryable": false
}
]
}
据我所知,API网关从未调用我的授权程序,因为我在它的cloudwatch中没有看到任何日志事件。我能够启用API网关的cloudwatch日志记录,我看到的唯一日志信息如下:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| timestamp | message |
|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1578275720543 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Extended Request Id: F2v9WFfiIAMF-9w= |
| 1578275720543 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Unauthorized request: dac0d4f6-1380-4049-bcee-bf776ca78e5c |
| 1578275720543 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Extended Request Id: F2v9WFfiIAMF-9w= |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response type: UNAUTHORIZED with status code: 401 |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response body: {"errors": [{"category": "ClientError","code": "UNAUTHORIZED","detail": "Unauthorized","method": "GET","path": "/cases","requestId": "dac0d4f6-1380-4049-bcee-bf776ca78e5c","retryable": false }]} |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response headers: {} |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response type: UNAUTHORIZED with status code: 401 |
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
在这一点上,我完全被卡住了,不知道如何进一步调试它。我假设某些东西必须配置错误,但我能找到的日志信息没有给出任何问题的指示。我还在下图中粘贴了我的授权人配置的副本:
我发现了我遇到的问题: 我需要在端点的authorizer字段以及CF堆栈中设置identitySource:method.request.header.Authorization 原始云信息中的自定义授权人定义:
service:
name: api-base
frameworkVersion: ">=1.2.0 <2.0.0"
plugins:
- serverless-plugin-optimize
- serverless-offline
- serverless-pseudo-parameters
- serverless-domain-manager
custom:
stage: ${self:provider.stage, 'dev'}
serverless-offline:
port: ${env:OFFLINE_PORT, '4000'}
false: false
cognitoStack: marley-auth
customDomain:
domainName: ${env:BE_HOST, ''}
enabled: ${env:EN_CUSTOM_DOMAIN, self:custom.false}
stage: ${self:provider.stage, 'dev'}
createRoute53Record: true
provider:
name: aws
runtime: nodejs10.x
versionFunctions: true
apiName: public
logs:
restApi: true
stackTags:
COMMIT_SHA: ${env:COMMIT_SHA, 'NO-SHA'}
environment:
USER_POOL_ID: ${cf:${self:custom.cognitoStack}-${self:custom.stage}.UserPoolId}
CLIENT_ID: ${cf:${self:custom.cognitoStack}-${self:custom.stage}.UserPoolClientId}
timeout: 30
iamRoleStatements:
- Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource: "*"
functions:
authorizer:
handler: handler/authorize.handler
resources:
- Outputs:
ApiGatewayRestApiId:
Value:
Ref: ApiGatewayRestApi
Export:
Name: ${self:custom.stage}-${self:provider.apiName}-ApiGatewayRestApiId
ApiGatewayRestApiRootResourceId:
Value:
Fn::GetAtt:
- ApiGatewayRestApi
- RootResourceId
Export:
Name: ${self:custom.stage}-${self:provider.apiName}-ApiGatewayRestApiRootResourceId
SharedAuthorizerId:
Value:
Ref: SharedAuthorizer
Export:
Name: ${self:custom.stage}-${self:provider.apiName}-ApiGatewaySharedAuthorizerId
- Resources:
SharedAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
Name: public
AuthorizerUri: !Join
- ''
- - 'arn:aws:apigateway:'
- !Ref 'AWS::Region'
- ':lambda:path/2015-03-31/functions/'
- !GetAtt
- AuthorizerLambdaFunction
- Arn
- /invocations
RestApiId: !Ref 'ApiGatewayRestApi'
Type: REQUEST
IdentitySource: method.request.header.Authorization
AuthorizerResultTtlInSeconds: '300'
DependsOn: AuthorizerLambdaFunction
ApiAuthLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref AuthorizerLambdaFunction
Principal: apigateway.amazonaws.com
SourceArn: !Sub "arn:aws:execute-api:#{AWS::Region}:#{AWS::AccountId}:#{ApiGatewayRestApi}/authorizers/*"
DependsOn: ApiGatewayRestApi
请张贴您的授权人代码。我想这就是问题所在。@ArunK我已经在帖子中添加了我的授权者处理程序,但我不明白这里的代码怎么会是问题所在。正如我在最初的帖子中所说,当我将其作为lambda调用时,以及当我从API网关授权器控制台对其进行测试时,授权器可以工作,并且当我通过Curl或postman向端点发出请求时,它永远不会被调用。您使用的是无服务器框架吗。我不这么认为?您是否将授权人lambda设定为任何API的授权人?我正在使用无服务器框架,但我正在手动部署共享授权人,以便绕过此处的限制:如果您认为相关,我可以发布cloudformation。我已将授权人附加到我的许多端点,它们都显示相同的行为。请更新此响应,以非常清楚地显示您所做的更改,然后将此问题标记为“已关闭”。遇到相同问题的下一个可怜的灵魂将感谢您。。。
authorizer:
type: CUSTOM
authorizerId: ${cf:api-base-${self:custom.stage}.SharedAuthorizerId}
identitySource: method.request.header.Authorization