Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix backend authorization #38

Closed
ianic opened this issue Oct 11, 2021 · 5 comments
Closed

Fix backend authorization #38

ianic opened this issue Oct 11, 2021 · 5 comments
Assignees
@djelusic
Labels
bug Something isn't working
Milestone
single developer 0.2

Comments

@ianic
Copy link
Member

ianic commented Oct 11, 2021
edited by djelusic
Loading

When authorization is enabled, sometimes requests like data and security fail with a 500 error. This causes the cli to hang because it is waiting for logs.
@ianic ianic added the bug Something isn't working label Oct 11, 2021
@ianic ianic added this to the single developer milestone Oct 11, 2021
@djelusic
Copy link
Contributor

This is related to authorizer caching. Usually we create a new token for each request using this method:

mantil/cli/cmd/project/context.go

Line 186 in 46823b2

func (c *Context) authToken() (string, error) {

Since the claims are always the same (just the workspace name) we might end up generating the same token for two subsequent requests if they are close enough together. Then the second request will fail because the cached policy grants access to a different method.

I'll fix this by adding a Method field to the access token claims so that two requests to different backend methods never use the same token.

@ianic
Copy link
Member Author

ianic commented Oct 11, 2021

Aaa to se rjesava konfiguracijom idenetity sources

When caching is enabled for an authorizer, API Gateway uses the authorizer's identity sources as the cache key. If a client specifies the same parameters in identity sources within the configured TTL, API Gateway uses the cached authorizer result, rather than invoking your Lambda function.

Trenutno je u identity sources samo: $request.header.Authorization
Dodas jos i query string.

@djelusic
Copy link
Contributor

Igrao sam se malo s ovim, pokusao sam dodati identity source koji ce razlikovati metodu i to radi ocekivano. Ali sad sam primijetio jos jedan problem. Svaki put kada request za autorizaciju koristi cache dobijem 500 error. Jedina dodatna informacija koju sam uspio izvuci je iz api gateway access logova, dobijem ovako nesto:

{
    "requestId": "HGQeGiXZliAEPSw=",
    "ip": "93.142.91.220",
    "requestTime": "12/Oct/2021:13:57:46 +0000",
    "httpMethod": "POST",
    "routeKey": "POST /deploy",
    "status": "500",
    "protocol": "HTTP/1.1",
    "responseLength": "35",
    "authError": "The response from the Lambda Authorizer function doesn't match the format that API Gateway expects. Invalid json in authorizer response"
}

Pitam se kako moze cachirani response imati krivi json format ako je originalno prosao...
Ne znam koliko ovo ima smisla dalje istrazivati, trenutno se cachiranje jako rijetko koristi jer jwt tokene stalno rekreiramo. Opcija je skroz iskljuciti cachiranje.

@ianic
Copy link
Member Author

ianic commented Oct 12, 2021

Method ne moze ici u authorization token.
Autoriziram nekoga u neku rolu. Ovo je specijalni slucaj da autoriziram sam sebe. Ali kada autoriziram nekog drugog napravim mu token i posaljem, on ga koristi neko vrijeme. Dajem mu jedan token po accountu. Zato metoda ne moze ici unutra.

@djelusic
Copy link
Contributor

Revertao sam ove promjene i ugasio cachiranje na autorizaciji. Otvorio sam novi issue za to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djelusic djelusic

Labels
bug Something isn't working
Projects
None yet
Milestone
single developer 0.2
Development

No branches or pull requests
2 participants
@ianic @djelusic