Need help to understand how cache works with request type

Recently, API Gateway request type feature was added from v1.24.0. It is just the right time to have this feature.

With token type, I can easily understand that the Authorization token will be used for authorization and auth handler function generatePolicy generates policy cache after the token is validated. If the token is validated, all service accesses in this api gateway is allowed in next 5 minutes (default TTL)

But request type is different.

Question #1

How the cache works with request type?

For example, I enable request type and check Authorization header and the url endpoint (https://<api_gateway_url>/endpoint-1/<rest>) . In my project, only authorization token and endpoint both match my database recodes, the access is allowed.

But when I tested with request type, I found after authorized, it can access any endpoint (endpoint-1, endpoint-2, …) in TTL.

events:
  - http:
      path: profile
      method: get
      authorizer:
        name: authorizer
        resultTtlInSeconds: 300
        identitySource: method.request.header.Authorization
        type: request

Are there anything I need do with identitySource, such as

identitySource: method.request.header.Authorization, context.??????.endpoint

Need your help. Thanks.

Question #2

In request type, there are four choices:

NONE
Validate boby
Validate body, query string parameters, and headers
Validate query string parameters and headers

With current request type feature in serverless framework, I can’t find out where to set with above options. Then I need to know what option currently it supported.

Notes

If you need to understand the differences between request type and token type, please go through this aws document: Amazon API Gateway

Did you ever find an answer to this? I’m curious about this as well =)

Yes, I get something by myself.

For question #1, my understanding is, I have to customize the policies to nominate allowed endpoints when validate in authorizer for that token owner.

For example, if that Authorization token owner has only permission to access endpoint 1, 2, 5, this is the policy I need to generate, which allow all methods.

arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/*/endpoint-1/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/*/endpoint-2/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/*/endpoint-5/*"

Remember you have to customize the methods as well, otherwise, if token owner access with method GET, you only set the policy cache to GET, then all requests from the same owner with same token for other methods (such as POST, PUT, DELETE, etc) will be refused.

So if the token owner can do only method GET/POST, the policy need be updated as below:

arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/GET/endpoint-1/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/GET/endpoint-2/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/GET/endpoint-5/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/POST/endpoint-1/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/POST/endpoint-2/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/POST/endpoint-5/*"

There are aws limits for the policy size, so make sure it is kept in limit

This way I manage the policies is not only for request token, same for token type as well. Same solution.

For questions #2, I still don’t get answer.