Finally solved!
The answer came from: API Gateway authorization and policy caching
TL;DR: Policies are cached so you either need to set the TTL to 0, so your authorizer gets called each time, or you need to construct a policy document that includes every single end point you have in your API. In my case, it was easy because I want to let the user access everything if they are logged in so my code looks something like this (Note right now set to Allow always, you should of course set to Allow or Deny as needed):
function authorizer(event, context, callback) {
const ret = {
principalId: null,
policyDocument: {
Version: "2012-10-17",
Statement: [
{
Action: "execute-api:Invoke",
Effect: "Allow",
Resource: "arn:aws:execute-api:us-east-1:495xxxxxxx:46xxxxxxx/dev/*/api/v1/*",
},
],
},
};
callback(null, ret);
}
Where the two * represent the method and the path (in my case after /api/v1).