Skip to content

Commit 007807e

Browse files
djelusicdjelusic
committed
enable authorizer caching and switch to v2 payload version
1 parent 7207130 commit 007807e

File tree

4 files changed

+33
-40
lines changed

4 files changed

+33
-40
lines changed

domain/auth.go

+8-2
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package domain
22

33
import (
44
"context"
5+
"encoding/base64"
56
"encoding/json"
67
"fmt"
78
"strings"
@@ -57,7 +58,8 @@ func verifyAccessToken(at, pk string) (*AccessTokenClaims, error) {
5758

5859
func StoreUserClaims(claims *AccessTokenClaims, context map[string]interface{}) {
5960
buf, _ := json.Marshal(claims)
60-
context[ContextUserClaimsKey] = string(buf)
61+
b64 := base64.StdEncoding.EncodeToString(buf)
62+
context[ContextUserClaimsKey] = b64
6163
}
6264

6365
func IsAdmin(ctx context.Context) (bool, error) {
@@ -81,10 +83,14 @@ func claimsFromAuthorizerContext(ac map[string]interface{}) (*AccessTokenClaims,
8183
if !ok {
8284
return nil, fmt.Errorf("claims not found")
8385
}
84-
buf, ok := c.(string)
86+
encoded, ok := c.(string)
8587
if !ok {
8688
return nil, fmt.Errorf("invalid claims format")
8789
}
90+
buf, err := base64.StdEncoding.DecodeString(encoded)
91+
if err != nil {
92+
return nil, err
93+
}
8894
var claims AccessTokenClaims
8995
if err := json.Unmarshal([]byte(buf), &claims); err != nil {
9096
return nil, err

domain/auth_test.go

+4-3
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package domain
22

33
import (
44
"context"
5+
"encoding/base64"
56
"strings"
67
"testing"
78
"time"
@@ -21,8 +22,8 @@ func TestStoreReadUserClaims(t *testing.T) {
2122
}
2223
ctx := make(map[string]interface{})
2324
StoreUserClaims(&c, ctx)
24-
claimsMarshaled := "{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}"
25-
require.Equal(t, ctx["mantilUserClaims"], claimsMarshaled)
25+
claimsEncoded := base64.StdEncoding.EncodeToString([]byte("{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}"))
26+
require.Equal(t, ctx["mantilUserClaims"], claimsEncoded)
2627
}
2728

2829
func TestReadUserClaims(t *testing.T) {
@@ -80,7 +81,7 @@ func TestClaimsFromContext(t *testing.T) {
8081
require.Nil(t, c)
8182

8283
ac = map[string]interface{}{
83-
ContextUserClaimsKey: "{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}",
84+
ContextUserClaimsKey: base64.StdEncoding.EncodeToString([]byte("{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}")),
8485
}
8586
c, err = claimsFromAuthorizerContext(ac)
8687
require.Nil(t, err)

node/functions/authorizer/main.go

+18-33
Original file line numberDiff line numberDiff line change
@@ -13,34 +13,7 @@ import (
1313
"github.com/mantil-io/mantil/kit/aws"
1414
)
1515

16-
func generatePolicy(principalId, effect, resource string) *events.APIGatewayCustomAuthorizerResponse {
17-
rsp := events.APIGatewayCustomAuthorizerResponse{PrincipalID: principalId}
18-
19-
if effect != "" && resource != "" {
20-
rsp.PolicyDocument = events.APIGatewayCustomAuthorizerPolicy{
21-
Version: "2012-10-17",
22-
Statement: []events.IAMPolicyStatement{
23-
{
24-
Action: []string{"execute-api:Invoke"},
25-
Effect: effect,
26-
Resource: []string{resource},
27-
},
28-
},
29-
}
30-
}
31-
return &rsp
32-
}
33-
34-
func allow(req *events.APIGatewayCustomAuthorizerRequestTypeRequest) *events.APIGatewayCustomAuthorizerResponse {
35-
return generatePolicy("Mantil", "Allow", req.MethodArn)
36-
}
37-
38-
func errorResponse(err error) (*events.APIGatewayCustomAuthorizerResponse, error) {
39-
log.Print(err)
40-
return nil, err
41-
}
42-
43-
func handleRequest(ctx context.Context, req *events.APIGatewayCustomAuthorizerRequestTypeRequest) (*events.APIGatewayCustomAuthorizerResponse, error) {
16+
func handleRequest(ctx context.Context, req *events.APIGatewayCustomAuthorizerRequestTypeRequest) (*events.APIGatewayV2CustomAuthorizerSimpleResponse, error) {
4417
buf, _ := json.Marshal(req)
4518
log.Printf("req %s", buf)
4619

@@ -52,11 +25,9 @@ func handleRequest(ctx context.Context, req *events.APIGatewayCustomAuthorizerRe
5225
if err != nil {
5326
return errorResponse(fmt.Errorf("read runtime access token error %w", err))
5427
}
55-
rsp := allow(req)
56-
if rsp.Context == nil {
57-
rsp.Context = make(map[string]interface{})
58-
}
59-
domain.StoreUserClaims(claims, rsp.Context)
28+
rsp := allowResponse(claims)
29+
buf, _ = json.Marshal(rsp)
30+
log.Printf("rsp %s", buf)
6031
return rsp, nil
6132
}
6233

@@ -80,6 +51,20 @@ func publicKey() (string, error) {
8051
return pk, nil
8152
}
8253

54+
func allowResponse(claims *domain.AccessTokenClaims) *events.APIGatewayV2CustomAuthorizerSimpleResponse {
55+
rsp := &events.APIGatewayV2CustomAuthorizerSimpleResponse{
56+
IsAuthorized: true,
57+
Context: make(map[string]interface{}),
58+
}
59+
domain.StoreUserClaims(claims, rsp.Context)
60+
return rsp
61+
}
62+
63+
func errorResponse(err error) (*events.APIGatewayV2CustomAuthorizerSimpleResponse, error) {
64+
log.Print(err)
65+
return nil, err
66+
}
67+
8368
func main() {
8469
lambda.Start(handleRequest)
8570
}

node/terraform/modules/http-api/api.tf

+3-2
Original file line numberDiff line numberDiff line change
@@ -109,9 +109,10 @@ resource "aws_apigatewayv2_authorizer" "http" {
109109
authorizer_type = "REQUEST"
110110
authorizer_uri = var.authorizer.invoke_arn
111111
identity_sources = ["$request.header.${var.authorizer.authorization_header}"]
112-
authorizer_payload_format_version = "1.0"
112+
authorizer_payload_format_version = "2.0"
113113
name = format(var.naming_template, "http-authorizer")
114-
authorizer_result_ttl_in_seconds = 0
114+
authorizer_result_ttl_in_seconds = 300
115+
enable_simple_responses = true
115116
}
116117

117118
resource "aws_apigatewayv2_api_mapping" "http" {

0 commit comments

Comments
 (0)