fix(apigatewayv2): defaultAuthorizer cannot be applied to HttpRoute #27576
Conversation
github-actions
bot
added
bug
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
go-to-k
changed the title
go-to-k
changed the title
aws-cdk-automation
added
the
pr/needs-community-review
| if (props.authorizer) { | ||
| this.authBindResult = props.authorizer.bind({ | ||
| route: this, | ||
| scope: this.httpApi instanceof Construct ? this.httpApi : this, // scope under the API if it's not imported | ||
| }); | ||
| } else if (this.httpApi instanceof HttpApi && this.httpApi.defaultAuthorizer) { // because IHttpApi as it is does not have a defaultAuthorizer | ||
| this.authBindResult = this.httpApi.defaultAuthorizer.bind({ | ||
| route: this, | ||
| scope: this.httpApi, // this.httpApi is also a Construct because it is an HttpApi | ||
| }); | ||
| } |
There was a problem hiding this comment.
| if (props.authorizer) { | |
| this.authBindResult = props.authorizer.bind({ | |
| route: this, | |
| scope: this.httpApi instanceof Construct ? this.httpApi : this, // scope under the API if it's not imported | |
| }); | |
| } else if (this.httpApi instanceof HttpApi && this.httpApi.defaultAuthorizer) { // because IHttpApi as it is does not have a defaultAuthorizer | |
| this.authBindResult = this.httpApi.defaultAuthorizer.bind({ | |
| route: this, | |
| scope: this.httpApi, // this.httpApi is also a Construct because it is an HttpApi | |
| }); | |
| } | |
| const authorizer = props.authorizer ?? this.httpApi.defaultAuthorizer; | |
| this.authBindResult = authorizer?.bind({ | |
| route: this, | |
| scope: this.httpApi instanceof Construct ? this.httpApi : this, // scope under the API if it's not imported | |
| }); |
It should be fine to add defaultAuthorizer and defaultAuthorizationScopes to the IHttpApi interface (unless I'm missing something).
| if (this.authBindResult) { | ||
| if (props.authorizationScopes) { | ||
| authorizationScopes = Array.from(new Set([ | ||
| ...authorizationScopes ?? [], | ||
| ...props.authorizationScopes, | ||
| ])); | ||
| } else if (this.httpApi instanceof HttpApi && this.httpApi.defaultAuthorizationScopes) {// because IHttpApi as it is does not have a defaultAuthorizationScopes | ||
| authorizationScopes = Array.from(new Set([ | ||
| ...authorizationScopes ?? [], | ||
| ...this.httpApi.defaultAuthorizationScopes, | ||
| ])); | ||
| } |
There was a problem hiding this comment.
| if (this.authBindResult) { | |
| if (props.authorizationScopes) { | |
| authorizationScopes = Array.from(new Set([ | |
| ...authorizationScopes ?? [], | |
| ...props.authorizationScopes, | |
| ])); | |
| } else if (this.httpApi instanceof HttpApi && this.httpApi.defaultAuthorizationScopes) {// because IHttpApi as it is does not have a defaultAuthorizationScopes | |
| authorizationScopes = Array.from(new Set([ | |
| ...authorizationScopes ?? [], | |
| ...this.httpApi.defaultAuthorizationScopes, | |
| ])); | |
| } | |
| if (this.authBindResult && (props.authorizationScopes || this.httpApi.defaultAuthorizationScopes)) { | |
| authorizationScopes = Array.from(new Set([ | |
| ...authorizationScopes ?? [], | |
| ...props.authorizationScopes ?? this.httpApi.defaultAuthorizationScopes ?? [], | |
| ])); | |
| } |
| const httpApi = new HttpApi(stack, 'MyHttpApi'); | ||
| const httpApiWithDefaultAuthorizer = new HttpApi(stack, 'MyHttpApiWithDefaultAuthorizer', { | ||
| defaultAuthorizer, | ||
| }); |
There was a problem hiding this comment.
Can you also add defaultAuthorizationScopes to the httpApiWithDefaultAuthorizer API?
There was a problem hiding this comment.
I changed integ.user-pool instead of integ.lambda because defaultAuthorizationScopes (Authorization Scopes) are only valid for COGNITO_USER_POOLS and JWT authorization types
There was a problem hiding this comment.
👍 Thanks for the clarification.
|
Thanks for your review. I changed, so please review again! |
change an integ test
go-to-k
force-pushed
the
fix/apgwv2-route-authorizer
branch
from
41ca1bc
to
2a76067
Compare
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
There was a problem hiding this comment.
Thanks 👍
Some documentation adjustments are needed.
Also, can you please add back the default authorizer in the lambda integration test?
Is good to have some extra coverage.
| readonly defaultAuthorizer?: IHttpRouteAuthorizer; | ||
|
|
||
| /** | ||
| * Default OIDC scopes attached to all routes in the gateway, unless explicitly configured on the route. |
There was a problem hiding this comment.
| * Default OIDC scopes attached to all routes in the gateway, unless explicitly configured on the route. | |
| * Default OIDC scopes attached to all routes in the gateway, unless explicitly configured on the route. | |
| * The scopes are used with a COGNITO_USER_POOLS authorizer to authorize the method invocation. | |
| * |
Can you please align this as well?
There was a problem hiding this comment.
There was a problem hiding this comment.
Can you please provide documentation that describes the usage with a JWT authorizer?
I was only able to verify the COGNITO_USER_POOLS authorizer.
There was a problem hiding this comment.
Oh... I tried in the integ.lambda with defaultAuthorizationScopes in httpApiWithDefaultAuthorizer, CFn occurred the following error message.
I'll see if I can find any documentation.
UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid Route authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS and JWT authorization types (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: xxxxxx; Proxy: null)" (RequestToken: xxxxxx, HandlerErrorCode: GeneralServiceException)
There was a problem hiding this comment.
There is If you specify the AuthorizerId property, specify CUSTOM or COGNITO_USER_POOLS for this property. in the CFn doc.
I guess this CFn message represents CUSTOMCOGNITO_USER_POOLS as JWT.
What should we do in CDK doc?
There was a problem hiding this comment.
I found only this article.
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
There was a problem hiding this comment.
I'm starting to feel that COGNITO_USER_POOLS is all I need.
There was a problem hiding this comment.
Yeah, I think that COGNITO_USER_POOLS is sufficient since it generates a JWT authorizer.
There was a problem hiding this comment.
In the meantime, please review again as I have added only COGNITO_USER_POOLS for the message.
| /** | ||
| * Default Authorizer to applied to all routes in the gateway | ||
| * @attribute | ||
| * @default - No authorizer | ||
| */ |
There was a problem hiding this comment.
| /** | |
| * Default Authorizer to applied to all routes in the gateway | |
| * @attribute | |
| * @default - No authorizer | |
| */ | |
| /** | |
| * Default Authorizer applied to all routes in the gateway. | |
| * | |
| * @attribute | |
| * @default - no default authorizer | |
| */ |
Can you please align this as well?
There was a problem hiding this comment.
Please check.
aws-cdk-automation
removed
the
pr/needs-community-review
OK, I changed the integ.lambda and added snapshots. |
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This PR fixes a bug that
defaultAuthorizercannot be applied toHttpRoutewithout an authorizer.Closes #27436.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license