fix: uses loose policy to avoid cache conflicts

lmammino · Oct 29, 2023 · 61bc1eb · 61bc1eb
1 parent 5e7533b
commit 61bc1eb
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 15 deletions.
diff --git a/examples/sam/template.yml b/examples/sam/template.yml
@@ -57,7 +57,6 @@ Resources:
       ManagedPolicyArns:
         - "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
 
-  # 👀 CHANGE: Define your APIs here
   # Authorizer Lambda
   OidcLambdaAuthorizer:
     Type: AWS::Serverless::Function
@@ -82,24 +81,48 @@ Resources:
           ACCEPTED_AUDIENCES: "5c8efa13-dfa5-48b5-83c3-6fe8bb819a0f"
           ACCEPTED_ALGORITHMS: ""
 
-  SampleApiFunction:
+  # 👀 CHANGE: Define your APIs here
+  SampleApiFunction1:
+    Type: AWS::Serverless::Function
+    Properties:
+      Events:
+        ApiEvent:
+          Type: Api
+          Properties:
+            Path: /1
+            Method: get
+            RestApiId:
+              Ref: ApiGatewayApi
+      Runtime: python3.9
+      Handler: index.handler
+      InlineCode: |
+        def handler(event, context):
+            return {'body': 'Hello from endpoint1!', 'statusCode': 200}
+
+  SampleApiFunction2:
     Type: AWS::Serverless::Function
     Properties:
       Events:
         ApiEvent:
           Type: Api
           Properties:
-            Path: /
+            Path: /2
             Method: get
             RestApiId:
               Ref: ApiGatewayApi
       Runtime: python3.9
       Handler: index.handler
       InlineCode: |
         def handler(event, context):
-            return {'body': 'Hello World!', 'statusCode': 200}
+            return {'body': 'Hello ' + event['requestContext']['authorizer']['principalId'] + ' from endpoint2!\nThese are your claims: ' + event['requestContext']['authorizer']['jwtClaims'], 'statusCode': 200}
 
 Outputs:
-  ApiEndpoint:
+  ApiBaseUrl:
     Description: "API Gateway endpoint"
     Value: !Sub "https://${ApiGatewayApi}.execute-api.${AWS::Region}.amazonaws.com/prod/"
+  ApiEndpoint1:
+    Description: "API Gateway endpoint"
+    Value: !Sub "https://${ApiGatewayApi}.execute-api.${AWS::Region}.amazonaws.com/prod/1"
+  ApiEndpoint2:
+    Description: "API Gateway endpoint"
+    Value: !Sub "https://${ApiGatewayApi}.execute-api.${AWS::Region}.amazonaws.com/prod/2"
diff --git a/src/handler.rs b/src/handler.rs
@@ -110,7 +110,6 @@ impl Handler {
 
         Ok(TokenAuthorizerResponse::allow(
             &principal_id,
-            &event.method_arn,
             &token_payload.claims,
         ))
     }

diff --git a/src/models.rs b/src/models.rs
@@ -38,11 +38,10 @@ pub struct TokenAuthorizerResponse {
 }
 
 impl TokenAuthorizerResponse {
-    pub fn allow(principal_id: &str, resource: &str, token_claims: &Value) -> Self {
+    pub fn allow(principal_id: &str, token_claims: &Value) -> Self {
         let mut context = HashMap::new();
-        context.insert("jwt_principal".to_string(), principal_id.to_string());
         context.insert(
-            "jwt_claims".to_string(),
+            "jwtClaims".to_string(),
             serde_json::to_string(token_claims).unwrap(),
         );
 
@@ -54,7 +53,10 @@ impl TokenAuthorizerResponse {
                 statement: vec![PolicyStatement {
                     effect: "Allow".to_string(),
                     action: "execute-api:Invoke".to_string(),
-                    resource: resource.to_string(),
+                    // NOTE: this is intentionally open to avoid cache conflicts
+                    //   when enabling cache and using multiple endpoints.
+                    //   For more details you can read: https://www.alexdebrie.com/posts/lambda-custom-authorizers/#caching-across-multiple-functions
+                    resource: "*".to_string(),
                 }],
             },
         }
@@ -84,13 +86,12 @@ mod tests {
     #[test]
     fn it_should_create_an_allow_response() {
         let principal_id = "John Doe";
-        let resource = "arn::some:resource";
         let token_claims = json!({
           "iat": 1516239022,
           "name": "John Doe",
           "sub": "1234567890"
         });
-        let response = TokenAuthorizerResponse::allow(principal_id, resource, &token_claims);
+        let response = TokenAuthorizerResponse::allow(principal_id, &token_claims);
         assert_eq!(
             serde_json::to_value(response).unwrap(),
             json!({
@@ -101,13 +102,12 @@ mod tests {
                         {
                             "Action": "execute-api:Invoke",
                             "Effect": "Allow",
-                            "Resource": "arn::some:resource"
+                            "Resource": "*"
                         }
                     ]
                 },
                 "context": {
-                    "jwt_claims": "{\"iat\":1516239022,\"name\":\"John Doe\",\"sub\":\"1234567890\"}",
-                    "jwt_principal": "John Doe",
+                    "jwtClaims": "{\"iat\":1516239022,\"name\":\"John Doe\",\"sub\":\"1234567890\"}",
                 }
             })
         );