Api gateway custom authorizer caching problems


#1

Hi guys I did the implamentation to use custom authorizer for the api gateway, and I was testing with the policy

{
  principalId: userId,
  policyDocument: {
    Version: '2012-10-17',
    Statement: [
      {
        Action: 'execute-api:Invoke',
        Effect: 'Allow',
        Resource: event.methodArn,
      },
    ]
  }
}

and was working, then I force an error to switch the effect to Deny, but now all the requests are returning Unauthorized.

I see that is not even calling the authorizer function anymore.

Is this cached?
How I make it work again?

Thanks,

:wink:


#2

There are 2 resolutions.

  1. return the entire security policy for the user for all endpoints of your api.
  2. don’t cache the policy.

I prefer #2 myself and you can do it in your serverless.yml where you define your function(s).
Example:

functions:
  jwtAuth:
    handler: auth/jwt.handler

  doSomething:
    handler: myCode.doSomething
    events:
      - http:
          path: /dosomething
          method: post
          cors: true
          authorizer:
            name: jwtAuth
            resultTtlInSeconds: 0

The key bit being resultTtlInSeconds: 0

Hope this helps.