How do you add a request validator to api gateway?

How do you natively within serverless framework add request validation for an endpoint within API Gateway?

I have already achieved this with these two plugins:

  • serverless-aws-documentation
  • serverless-reqvalidator-plugin

and:

Function has:

my_func:
  request:
    parameters:
      headers:
        X-Timestamp: true
        X-Signature: true
  reqValidatorName: bodyAndParams

req_validator:

Resources:
  bodyAndParams:
    Type: "AWS::ApiGateway::RequestValidator"
    Properties:
      Name: 'body-and-params'
      RestApiId:
        Ref: ApiGatewayRestApi
      ValidateRequestBody: true
      ValidateRequestParameters: true

But i want to drop these two plugins if possible since the majority of this is available in the framework already but i feel like i am missing the final piece to turn on the validation

I too would like to know about this…

Googling shows this but I can’t make sense of it

If you set params as required via serverless syntax you then can just also activate the validator for parameters like so

Resources:
  ParameterRequestValidator:
    Type: AWS::ApiGateway::RequestValidator
    Properties:
      Name: ParameterRequestValidator
      RestApiId:
        Ref: ApiGatewayRestApi
      ValidateRequestBody: false
      ValidateRequestParameters: true

  ApiGatewayMethodNameOfYourApiLookItUpInYourTemplate:
    Properties:
      RequestValidatorId:
        Ref: ParameterRequestValidator

so to do this with the following plugins:

"serverless-aws-documentation": "github:deliveryhero/serverless-aws-documentation",
"serverless-reqvalidator-plugin": "^1.0.3",

on a function:

request:
  parameters:
    headers:
      X-Token: true
      X-Event: true
reqValidatorName: bodyAndParams

The resource bodyAndParams:

bodyAndParams:
    Type: "AWS::ApiGateway::RequestValidator"
    Properties:
      Name: 'body-and-params'
      RestApiId:
        Ref: ApiGatewayRestApi
      ValidateRequestBody: true
      ValidateRequestParameters: true

This does work, but i would ideally like to remove the plugins as its an additional dependancy in deploying my application. The header validation being the main thing i care about because it removes the requirement for the code to validate the headers

agreed, I am in a similar scenario though I also get some warning each time about it

There is no need for a plugin for request validation. It is built into the framework: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#request-parameters

That makes them ‘required’ but doesn’t set the validation in the api gateway, so therefore it doesn’t actually validate

1 Like

I don’t understand why you need those two plugins. You’re adding raw CloudFormation, so you should be able to enable validation directly in it. I got it to work, but with an OpenAPI (x-amazon-apigateway-request-validator) script embedded into the Cloudformation, which was deployed via Serverless. That said I don’t know why your AWS::ApiGateway::RequestValidator resource wouldn’t work.

Anyways, have you figured this out?

I’m actually trying to somewhat the opposite, I want to disable validation. When you create the gateway in Serverless’ native way (i.e. below), adding a schema automatically turns on validation and I can’t find any way to NOT enable it.

events:
      - http:
          method: post
          path: '/serverless-full'
          integration: lambda
          request:
            schema:
              application/json: ${file(../models/UserModel.json)}
            template:
              application/json: '$util.escapeJavaScript($input.body).replaceAll("\\","")'
            passThrough: WHEN_NO_TEMPLATES
            contentHandling: CONVERT_TO_TEXT
          response:
            headers:
              Content-Type: "'application/json'"
            contentHandling: CONVERT_TO_TEXT

For those of you failing to see this, like I also did.

This is what you need to do in plain english.

Turn

ApiGatewayMethodNameOfYourApiLookItUpInYourTemplate

to

APIGatewayMethod<1><2>

API Gateway

In my case, it was APIGatewayDealsGet

The thing I was looking at was my handler name in serverless

   list:
    # Defines an HTTP API endpoint that calls the main function in list.js
    # - path: url path is /deals
    # - method: GET request
    handler: list.main
    events:
      - http:
          path: deals
          method: get
          cors: true
          authorizer: aws_iam
          request:
            parameters:
              querystrings:
                country: true
                type: true

Alternatively, if this does not work, check the s3 bucket, mine was called xxxxxxx-ap-serverlessdeploymentbuck-1epdp60eqveqr and go to serverless > yyyyyyyyyyy > aaaa >
timestamp > compiled-cloudformation-template.json

And look for the name of your method in there, example mine was:

	"ApiGatewayMethodDealsGet": {
		"Type": "AWS::ApiGateway::Method",
		"Properties": {
			"HttpMethod": "GET",
			"RequestParameters": {