我有一个带有自定义授权者的 1 Amazon Api Gateway 设置(授权者基本上只返回允许任何内容)
我启用了 CORS,这是从jQuery网页。
我有两个方法
我看到的行为是第一个请求进展顺利,我看到它拉动了OPTIONS,然后执行GET要求。Then,我打了另一种方法OPTIONS有效,然后 get 返回一个403,但是如果我再次发起请求(在同一资源上),我得到一个200
我正在使用 Cloudformation,但在使用无服务器框架时我注意到同样的行为。
以下是我理智的一些屏幕截图,希望其他人也看到了这种奇怪的情况。
下面是我的 Cloudformation YAML 模板的一部分,我是边做边学的。
HelloAPI:
Type: AWS::Serverless::Api
Properties:
StageName: !Sub ${Environment}
DefinitionBody:
swagger: 2.0
info:
title:
Ref: AWS::StackName
securityDefinitions:
test-authorizer:
type: apiKey
name: Authorization
in: header
x-amazon-apigateway-authtype: custom
x-amazon-apigateway-authorizer:
type: token
authorizerUri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AuthorizerFunc.Arn}/invocations
authorizerResultTtlInSeconds: 5
paths:
/vehicles:
get:
x-amazon-apigateway-integration:
httpMethod: POST
type: aws_proxy
uri:
!Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${VehiclesLambda.Arn}/invocations
responses: {}
security:
- test-authorizer: []
options:
tags:
- "CORS"
summary: "CORS support"
description: "Enable CORS by returning correct headers\n"
consumes:
- "application/json"
produces:
- "application/json"
parameters: []
responses:
"200":
description: "Default response for CORS method"
headers:
Access-Control-Allow-Headers:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Origin:
type: "string"
x-amazon-apigateway-integration:
type: "mock"
requestTemplates:
application/json: "{\n \"statusCode\" : 200\n}\n"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Headers: "'X-Amz-Date,Authorization,X-Api-Key'"
method.response.header.Access-Control-Allow-Methods: "'*'"
method.response.header.Access-Control-Allow-Origin: "'*'"
responseTemplates:
application/json: "{}\n"
/bookings:
get:
x-amazon-apigateway-integration:
httpMethod: POST
type: aws_proxy
uri:
!Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${BookingsLambda.Arn}/invocations
responses: {}
security:
- test-authorizer: []
options:
tags:
- "CORS"
summary: "CORS support"
description: "Enable CORS by returning correct headers\n"
consumes:
- "application/json"
produces:
- "application/json"
parameters: []
responses:
"200":
description: "Default response for CORS method"
headers:
Access-Control-Allow-Headers:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Origin:
type: "string"
x-amazon-apigateway-integration:
type: "mock"
requestTemplates:
application/json: "{\n \"statusCode\" : 200\n}\n"
responses:
default:
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Headers: "'X-Amz-Date,Authorization,X-Api-Key'"
method.response.header.Access-Control-Allow-Methods: "'*'"
method.response.header.Access-Control-Allow-Origin: "'*'"
responseTemplates:
application/json: "{}\n"
这是我的一切顺利授权者:
'use strict';
const generatePolicy = function(principalId, effect, resource) {
const authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
const policyDocument = {};
policyDocument.Version = '2012-10-17';
policyDocument.Statement = [];
const statementOne = {};
statementOne.Action = 'execute-api:Invoke';
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
return authResponse;
};
exports.handler = (event, context, callback) => {
console.log("Hit Authorizer")
console.log(event)
callback(null, generatePolicy('user123', 'Allow', event.methodArn));
};
其他人见过这个,或者知道如何调试它吗?
我把它放在一个测试站点上,只是有人想看看我所看到的。
https://s3.amazonaws.com/stackoverflowisgreat2/index.html
在自定义授权者代码中,在该行
statementOne.Resource = resource;
将您的资源更改为以下格式“arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/”。
在您的情况下,允许所有这些将是:
statementOne.Resource = arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/*/
这就是 AWS 了解您的授权人的方式。因为在自定义授权方中,您可以从请求标头中获取信息,例如用户、组等,然后根据您的授权数据库验证信息,并决定允许谁或什么继续请求类型 POST/GET/OPTION,但 API 网关不会在您以 AWS 格式提供有效答案之前,我们不会知道您的决定
{
"principalId": "yyyyyyyy", // The principal user identification associated with the token sent by the client.
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow|Deny",
"Resource": "arn:aws:execute-api:{regionId}:{accountId}:{appId}/{stage}/{httpVerb}/[{resource}/[child-resources]]"
}
]
},
"context": {
"stringKey": "value",
"numberKey": "1",
"booleanKey": "true"
},
"usageIdentifierKey": "{api-key}" # Optional
}
您可以访问此页面以了解更多相关信息:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html