我有一个
listUsers由于我已将其更改为 Lambda Authorizer,它会返回
500serverless.ymlprovider:
httpApi:
cors: true
authorizers:
customAuthorizer:
type: request
functionName: custom-authorizer
functions:
custom-authorizer:
handler: authorizer.handler
listUsers:
handler: src/users/index.listUsersHandler
events:
- httpApi:
path: /users
method: get
authorizer: customAuthorizer
authorizer.jsconst { CognitoJwtVerifier } = require('aws-jwt-verify');
const Cognito = require('../shared/Cognito');
module.exports.handler = async (event) => {
const authHeader = event.headers.authorization;
if (!authHeader) {
console.log('No auth header');
return {
isAuthorized: false,
};
}
const token = authHeader.split(' ')[1];
console.log(token);
const verifier = CognitoJwtVerifier.create({
userPoolId: Cognito.UserPoolId,
tokenUse: 'access',
clientId: Cognito.ClientId,
});
let payload = null;
try {
payload = await verifier.verify(token);
console.log('Token is valid. Payload:', payload);
return {
isAuthorized: true,
};
} catch {
console.log('Token is invalid.');
return { isAuthorized: false };
}
};
当我向
/users但是,它永远不会运行实际的
listUsers{
"message": "Internal Server Error"
}
Lambda 授权者的预期输出本质上是主体标识符和策略文档:
AllowDenyexecute-api:Invoke您的 Lambda 授权者响应不正确,这就是您收到内部服务器错误的原因:
return {isAuthorized: true};
作为一个很好的起点,使用
methodArnevent) 上的
event.methodArn 属性作为资源。这是调用者请求的方法的 ARN,由 AWS 提供。
此方法将返回最小但正确的授权者响应:
function generatePolicy(principalId, effect, resource) {
return {
principalId,
policyDocument: {
Version: '2012-10-17',
Statement: [{
Action: 'execute-api:Invoke',
Effect: effect,
Resource: resource
}]
}
};
}
用途:
const authHeader = event.headers.authorization;
if (!authHeader) {
console.log('No auth header');
return generatePolicy('user', 'Deny', event.methodArn);
}
...
try {
const payload = await verifier.verify(token);
return generatePolicy('user', 'Allow', event.methodArn);
} catch {
return generatePolicy('user', 'Deny', event.methodArn);
}