Support custom authorizer on websocket events

simon-ye · February 20, 2019, 4:00pm

Thanks for supporting websocket events in the latest version, however it doesn’t support authorizer like it supports in http events, is there any plan we can add it soon?

jameshartt · February 28, 2019, 3:07pm

This would be really useful, the docs say to do auth in the $connect, but would be nice to use existing/similar auth functions I already have.

simon-ye · February 28, 2019, 4:30pm

Looks like this will be officially supported in the coming Serverless release of 1.39.0

github.com/serverless/serverless

Added websockets authorizer support

serverless:master ← serverless:wb-authorizers

opened 01:45PM - 26 Feb 19 UTC

eahefnawy

+688 -28

## What did you implement: Closes #5857 Closes #5874  ## How did you implement it:  Using the Authorizer CF template, and mapping it to the Route template, and setting the required permissions. ## How can we verify it: Using the following service: ```yml service: websocket-authorizers provider: name: aws stage: dev runtime: nodejs8.10 functions: connect: handler: handler.connect events: - websocket: route: $connect authorizer: name: auth identitySource: - 'route.request.header.Auth' - 'route.request.querystring.Auth' default: handler: handler.default events: - websocket: route: $default auth: handler: handler.auth ``` ```js // handler.js 'use strict'; const AWS = require('aws-sdk') // the following section injects the new ApiGatewayManagementApi service // into the Lambda AWS SDK, otherwise you'll have to deploy the entire new version of the SDK /* START ApiGatewayManagementApi injection */ const { Service, apiLoader } = AWS apiLoader.services['apigatewaymanagementapi'] = {} const model = { metadata: { apiVersion: '2018-11-29', endpointPrefix: 'execute-api', signingName: 'execute-api', serviceFullName: 'AmazonApiGatewayManagementApi', serviceId: 'ApiGatewayManagementApi', protocol: 'rest-json', jsonVersion: '1.1', uid: 'apigatewaymanagementapi-2018-11-29', signatureVersion: 'v4' }, operations: { PostToConnection: { http: { requestUri: '/@connections/{connectionId}', responseCode: 200 }, input: { type: 'structure', members: { Data: { type: 'blob' }, ConnectionId: { location: 'uri', locationName: 'connectionId' } }, required: ['ConnectionId', 'Data'], payload: 'Data' } } }, paginators: {}, shapes: {} } AWS.ApiGatewayManagementApi = Service.defineService('apigatewaymanagementapi', ['2018-11-29']) Object.defineProperty(apiLoader.services['apigatewaymanagementapi'], '2018-11-29', { // eslint-disable-next-line get: function get() { return model }, enumerable: true, configurable: true }) /* END ApiGatewayManagementApi injection */ module.exports.connect = (event, context, cb) => { cb(null, { statusCode: 200, body: 'Connected.' }); }; module.exports.default = async (event, context, cb) => { const client = new AWS.ApiGatewayManagementApi({ apiVersion: '2018-11-29', endpoint: `https://${event.requestContext.domainName}/${event.requestContext.stage}` }); await client .postToConnection({ ConnectionId: event.requestContext.connectionId, Data: `default route received: ${event.body}` }) .promise(); cb(null, { statusCode: 200, body: 'Sent.' }); }; module.exports.auth = async (event, context) => { return { "principalId": "user", "policyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": "Allow", "Resource": event.methodArn } ] } }; }; ``` deploy, then connect to the ws url: ``` wscat -c wss://<ID>.execute-api.us-east-1.amazonaws.com/dev?Auth=foo -H Auth:bar # connection should SUCCEED because you provided both identity sources: querystring & header wscat -c wss://<ID>.execute-api.us-east-1.amazonaws.com/dev -H Auth:bar # connection should FAIL because you ONLY provided the header # and your serverless.yml clearly states that you need the querystring identity source # If you remove the `identitySource` from `serverless.yml`, it should SUCCEED # because using ONLY the header is the default behavior ```  ## Todos: - [x] Write tests - [x] Write documentation - [x] Fix linting errors - [x] Make sure code coverage hasn't dropped - [x] Provide verification config / commands / resources - [x] Enable "Allow edits from maintainers" for this PR - [x] Update the messages below ***Is this ready for review?:*** YES ***Is it a breaking change?:*** NO

jameshartt · February 28, 2019, 4:54pm

That’s great, thanks!

alecsultana · March 7, 2019, 3:05pm

Are Websocket authorizers supported in 1.38?

Docs for 1.38 seem to indicate they are… https://serverless.com/framework/docs/providers/aws/events/websocket#using-authorizers

I also tried this out myself, but was unable to get my auth handler to run when route: $connect

am I missing something?

simon-ye · March 7, 2019, 3:21pm

I believe it will be supported in 1.39, although they seem already updated the doc ahead of the new release.

If you really need it now, you have to manually configure it from the console or use cli.

alecsultana · March 7, 2019, 3:27pm

Yep - I’ll be doing as you suggest.

Just needed to confirm for my own sanity

castellanprime · March 7, 2019, 5:06pm

I faced a similar problem and I decide to pull the code directly from master(npm install). That seems to fix it.

Topic		Replies	Views
Cognito authorizer and websockets Serverless Framework api-gateway	0	1074	May 20, 2019
Custom Authorizer not being triggered Serverless Framework aws	3	5961	June 22, 2017
API GW Custom Authorizer Serverless Framework lambda , api-gateway	2	2826	May 28, 2019
Authorization Function not being configured on AWS API Gateway Serverless Framework	1	800	March 28, 2020
Authorizer not created Serverless Framework	2	928	February 21, 2017

Support custom authorizer on websocket events

Related Topics