我今天花了大部分时间试图让授权者工作,我检查了多个示例,它们似乎都在做与我的代码所做的相同的事情。
我使用无服务器框架,这是授权代码:
exports.handler = function (event: APIGatewayTokenAuthorizerEvent): APIGatewayAuthorizerResult {
const authorizer = new Authorizer();
try {
if (!event.authorizationToken) throw new Error("No token");
const token = event.authorizationToken.split(" ")[1];
const decodedData = authorizer.verifyToken(token) as unknown as User;
const policy = generatePolicy(token, event.methodArn);
return {
...policy,
context: {
user: JSON.stringify(decodedData),
},
};
} catch (err) {
console.log(err);
throw "Unauthorized";
}
};
const generatePolicy = (principalId: string, methodArn: string) => {
return {
principalId,
policyDocument: {
Version: "2012-10-17",
Statement: [
{
Action: "execute-api:Invoke",
Effect: "Allow",
Resource: methodArn,
},
],
},
};
};
这是无服务器配置
const serverlessConfiguration: AWS = {
service: "user-crud",
frameworkVersion: "2",
custom: {
webpack: {
webpackConfig: "./webpack.config.js",
includeModules: true,
},
},
plugins: ["serverless-webpack"],
provider: {
name: "aws",
runtime: "nodejs14.x",
region: "eu-west-1",
apiGateway: {
minimumCompressionSize: 1024,
shouldStartNameWithService: true,
},
environment: {
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1",
},
lambdaHashingVersion: "20201221",
},
functions: {
jwtAuthorizer: {
handler: "src/api/authorizer.handler",
name: "jwtAuthorizer",
},
get: {
name: "get",
handler: "src/api/get.handler",
role: "arn:aws:iam::109394173706:role/dynamodb_cloudwatch_full",
events: [
{
http: {
path: "get",
method: "get",
cors: true,
authorizer: "jwtAuthorizer",
},
},
],
},
}...
当令牌正确并且返回对象时,我总是得到 500 响应,所以我猜返回对象有问题?
如果令牌不正确并且我抛出“未经授权”,那么我会得到正确的 401 响应。
显然,处理程序需要异步,否则,它需要回调......时间花得值:|
嗯,还有一些其他原因,
{
message : null
}
来自 Api 网关的错误。我很难识别我的。
Lambda Invoke Role
Execution failed due to configuration error: Invalid JSON in response: Unrecognized field "headers", not marked as ignorable
。您必须通过添加 cors 并明确提及这些标头来解决这个问题boolean
的返回,则必须启用 lambda 响应 2.0delete
RestApiGateway
并重新创建。有时更改可能无法在 CloudFront 中正确更新。 function allowPolicy(methodArn) {
console.log("Allow Policy")
return {
"principalId": "apigateway.amazonaws.com",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": methodArn
}
]
},
"context": {
"stringValue": "blablabla",
"numberValue": 10,
"booleanValue": true,
}
};
}
您需要在 AWS Lambda 中配置基于资源的策略语句,以允许 API Gateway 授权方调用您的函数。它位于配置 -> 权限 -> 基于资源的策略声明中。
然后,添加如下内容:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "allow-api_gateway-authorizer-invoke",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "<LAMBDA AUTHORIZER FUNCTION ARN HERE>",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:<API GATEWAY REGION>:<ACCOUNT_NUMBER>:*/authorizers/*"
}
}
}
]
}