Dear Serverless folks!
I want to protect my api (inside a lambda proxy integration) with custom authorizer, which uses roles with permissions for specific methods of my endpoints, an example is like admin client has CRUD (== POST, GET, PATCH, DELETE) access to ‘/admin/messages’ , but visitor client has only R as read (== GET). For other endpoints visitor has CRUD too.
I would like to utilize authorizer cache but I get invalid cached results I would like to fix.
One example is that when a Deny policy is returned to a resource for GET, and been put into cache, that cache entry is used to a new request with DELETE method. So I would like to use cache only the used method and let my authorizer been invoked again.
I don’t want to disable my cache or set TTL to 0, but I would like to configure it with ‘fine grained’ cache key which does not produce invalid cached results.
Is there any way to solve it?
Thanks in advance
Your custom authorizer needs to return a policy with all permissions that the user could ever need across the entire API endpoint. The only other option is to set the TTL to 0 to disabling caching of results. It’s just the way caching currently works.