bill
October 29, 2017, 3:54am
1
I understand that I can:
enable private: true
to set API keys
enable authorizer: aws_iam
with aws iam
enable authorizer: auth
for custom authorizer
But I need to use a custom header in autohrizer. What should I do?
I test with authorizer: auth
but I found the event
has only three parts: authorizationToken, type and methodArn, no other headers are transfered to the event.
{
type: 'TOKEN',
methodArn: 'arn:aws:execute-api:::tnav0j/dev/GET/profile',
authorizationToken: 'allow'
}
So what should I do to authorise a custom header?
For example,
curl --header "X-token: abcd" ${API_Gateway}
This way is similar as x-api-key, but how to use for other headers?
1 Like
Hey @bill ,
If I understand your question correctly, the syntax would be something like:
authorizer:
name: authorizerFunc # <-- Function name or ARN
resultTtlInSeconds: 0
identitySource: method.request.header.X-token # <-- custom header
identityValidationExpression: someRegex
type: token
Does that help?
For reference, here are docs on Serverless custom authorizer settings .
1 Like
bill
October 29, 2017, 10:27pm
3
Thanks a lot, @alexdebrie1 That’s what I am looking for.
Finally I realised, whatever I transfer the header with other name in identitySource
, in aws event, it is still called authorizationToken
, and I still need to use event.authorizationToke
to catch its value.
That explains why my code event.headers["X-token"]
doesn’t work before.
And it is really good that the key of specified authorization header is case insensitive
1 Like
bill
October 30, 2017, 1:29am
4
@alexdebrie1
Do you have any ideas that how to let the authorizer to accepts multiple headers?
curl --header “X-token: allow” --header “X-department: wireless” https://<api_url>
I need to authorise both headers.
@bill I think you’d need to use the REQUEST
type for your custom authorizer. This passes in the entire request rather than just a single header.
1 Like
bill
October 30, 2017, 1:33am
6
alexdebrie1:
REQUEST type
thanks, I am not sure if I fully understand this part, but will take a try.
Hi, you can either use TOKEN or REQUEST type of custom authorizer with API Gateway. With TOKEN you’ll get only the one header that you have defined as event payload (along with method arn) and with REQUEST you’ll get the whole request event with all headers (http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html#api-gateway-custom-authorizer-input ).
This feature will be supported in the next release of Serverless Framework (https://github.com/serverless/serverless/pull/4372 ).
2 Likes
bill
November 1, 2017, 7:18am
8
Thanks, I already built with latest serverless codes and using this feature.