Hey there,
I am using a custom authorizer handler on an APIGateway RestAPI. The custom authorizer is all working as expected.
My question is around returning an Unauthorized result in the expected fashion:
return callback(“Unauthorized”);
When this is called and returned the expected Unauthorized message is shown as response, which is fine. However, in Serverless Dashobard function invocations shows the error as NotAnErrorType.
Just to be clear, I am going to Overview > Invocations by Function > Auth, to see the below.
Surely this should show as Unauthorized error type here? Otherwise, it would be difficult to see real errors in amongst a large amount of unauth’d requests. If I go to Explorer > It shows me the API path requested along with Unauthorized as the status, which is expected.
Just to confirm the Api Gateway has the unauthorized response setup in serverless.
Resources:
# This response is needed for custom authorizer failures cors support ¯_(ツ)_/¯
GatewayResponse:
Type: “AWS::ApiGateway::GatewayResponse”
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: “’’"
gatewayresponse.header.Access-Control-Allow-Headers: "’’”
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: “ApiGatewayRestApi”
StatusCode: “401”
AuthFailureGatewayResponse:
Type: “AWS::ApiGateway::GatewayResponse”
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: “’’"
gatewayresponse.header.Access-Control-Allow-Headers: "’’”
ResponseType: UNAUTHORIZED
RestApiId:
Ref: “ApiGatewayRestApi”
StatusCode: “401”
Thanks
The reason why it is labelled as NotAnErrorType is just because you are not returning an Error type, just as the message suggests. Wit a custom authorizer you should be returning a policy document with a deny set on the method ARN being accessed as described here: https://www.serverless.com/learn/tutorial/validate-jwts/
Hey @garethmcc
Thanks for coming back to me. Thanks for the link I didn’t know these videos even existed…
However, I have tried this Deny approach but I am returned with a 500 and empty message using this route.
return generatePolicy(undefined, "Deny", event.methodArn);
It is like it heads to the function after auth with that policy as opposed to returning a 401/403. Reading here it should return a 403 Forbidden.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
As a side note, this tutorial probably needs updating:
This refers to using the callback approach I started with.
Lastly, I’d like to send my thanks for your help and response rate. You have been invaluable and an asset to Serverless and its community.
Thanks
Hi @garethmcc
After testing further I was able to get this working with:
callback(null, generateDeny(undefined, event.methodArn));
However, this returns a 403 response. For this specific instance (when validating the authentication information) we would like to return a 401 response.
We can complete this using:
callback("Unauthorized");
However, we come back to the original issue in that the Dashboard shows this as NotAnErrorType. Ideally, we would not like these to show as Errors, as it would make finding other errors more difficult as these would occur when someone’s token is not valid/expired etc.
Thanks
Would you be able to open a chat in the dashboard with me using the Intercom help bubble bottom right? Then we can try things in private chat and I can respond back here later with any results for anyone else interested.
