Authentication middleware strategy


#1

I am converting an Express REST API into a Serverless app. My Express app was running a middleware function to validate an API key and secret using Basic Auth (through Passport.js). I was then looking up the user ID from the database and passing that through to the next function in middleware.

What is the best way to re-architect this in Serverless? I see the documentation on how to set up a custom authorizer function, but I don’t see anything about passing data from that (i.e. user ID) into the called function. I also see the section about setting API keys but I’m not sure if that’s what I want to use, since they are only talking about using X-Api-Key (we need to use both key and secret).

Any help is appreciated!


#2

From the manual (see http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html)

For the Lambda proxy integration, the context object returned from an custom authorizer is passed to the backend Lambda function as part of the input event. You can retrieve the context key-value pairs in the Lambda function by calling $event.requestContext.authorizer.key. For the preceding custom authorizer example, key is stringKey, numberKey or booleanKey. Their values are stringified, i.e., “stringval”, “123” or “true”, respectively.


#3

Thank you for this, it was very helpful! This got me where I needed to go. I wish the Serverless docs would have linked to this, it would have saved me a ton of time. I suppose they expect you to know Lambda well, but I think there are a lot of people coming in (myself included) who only use Serverless as their Lambda exposure.