Added websockets authorizer support #5867

eahefnawy · 2019-02-26T13:45:45Z

What did you implement:

Closes #5857
Closes #5874

How did you implement it:

Using the Authorizer CF template, and mapping it to the Route template, and setting the required permissions.

How can we verify it:

Using the following service:

service: websocket-authorizers

provider:
  name: aws
  stage: dev
  runtime: nodejs8.10

functions:
  connect:
    handler: handler.connect
    events:
      - websocket:
          route: $connect
          authorizer:
            name: auth
            identitySource:
              - 'route.request.header.Auth'
              - 'route.request.querystring.Auth'
  default:
    handler: handler.default
    events:
      - websocket:
          route: $default

  auth:
    handler: handler.auth

// handler.js
'use strict';

const AWS = require('aws-sdk')

// the following section injects the new ApiGatewayManagementApi service
// into the Lambda AWS SDK, otherwise you'll have to deploy the entire new version of the SDK

/* START ApiGatewayManagementApi injection */
const { Service, apiLoader } = AWS

apiLoader.services['apigatewaymanagementapi'] = {}

const model = {
  metadata: {
    apiVersion: '2018-11-29',
    endpointPrefix: 'execute-api',
    signingName: 'execute-api',
    serviceFullName: 'AmazonApiGatewayManagementApi',
    serviceId: 'ApiGatewayManagementApi',
    protocol: 'rest-json',
    jsonVersion: '1.1',
    uid: 'apigatewaymanagementapi-2018-11-29',
    signatureVersion: 'v4'
  },
  operations: {
    PostToConnection: {
      http: {
        requestUri: '/@connections/{connectionId}',
        responseCode: 200
      },
      input: {
        type: 'structure',
        members: {
          Data: {
            type: 'blob'
          },
          ConnectionId: {
            location: 'uri',
            locationName: 'connectionId'
          }
        },
        required: ['ConnectionId', 'Data'],
        payload: 'Data'
      }
    }
  },
  paginators: {},
  shapes: {}
}

AWS.ApiGatewayManagementApi = Service.defineService('apigatewaymanagementapi', ['2018-11-29'])
Object.defineProperty(apiLoader.services['apigatewaymanagementapi'], '2018-11-29', {
  // eslint-disable-next-line
  get: function get() {
    return model
  },
  enumerable: true,
  configurable: true
})
/* END ApiGatewayManagementApi injection */

module.exports.connect = (event, context, cb) => {
  cb(null, {
    statusCode: 200,
    body: 'Connected.'
  });
};

module.exports.default = async (event, context, cb) => {

  const client = new AWS.ApiGatewayManagementApi({
    apiVersion: '2018-11-29',
    endpoint: `https://${event.requestContext.domainName}/${event.requestContext.stage}`
  });

  await client
    .postToConnection({
      ConnectionId: event.requestContext.connectionId,
      Data: `default route received: ${event.body}`
    })
    .promise();

  cb(null, {
    statusCode: 200,
    body: 'Sent.'
  });
};

module.exports.auth = async (event, context) => {
  return {
    "principalId": "user",
    "policyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "execute-api:Invoke",
          "Effect": "Allow",
          "Resource": event.methodArn
        }
      ]
    }
  };
};

deploy, then connect to the ws url:

wscat -c wss://<ID>.execute-api.us-east-1.amazonaws.com/dev?Auth=foo -H Auth:bar
# connection should SUCCEED because you provided both identity sources: querystring & header

wscat -c wss://<ID>.execute-api.us-east-1.amazonaws.com/dev -H Auth:bar
# connection should FAIL because you ONLY provided the header
# and your serverless.yml clearly states that you need the querystring identity source
# If you remove the `identitySource` from `serverless.yml`, it should SUCCEED
# because using ONLY the header is the default behavior

Todos:

Write tests
Write documentation
Fix linting errors
Make sure code coverage hasn't dropped
Provide verification config / commands / resources
Enable "Allow edits from maintainers" for this PR
Update the messages below

Is this ready for review?: YES
Is it a breaking change?: NO

dschep

I haven't tested it, but the code looks good to me!

added authorizer support

c6f955a

eahefnawy self-assigned this Feb 26, 2019

eahefnawy added the pr/in-progress label Feb 26, 2019

eahefnawy added this to the 1.39.0 milestone Feb 26, 2019

tested authorizers

e7c5acf

eahefnawy marked this pull request as ready for review February 27, 2019 13:03

eahefnawy requested a review from pmuens February 27, 2019 13:03

eahefnawy mentioned this pull request Feb 27, 2019

Add option to set Websocket API name #5874

Closed

eahefnawy changed the title ~~Added authorizer support~~ Added websockets authorizer support Feb 27, 2019

eahefnawy added 2 commits February 27, 2019 17:34

added tests

2a8fedc

remove only

4fcda37

dschep approved these changes Feb 27, 2019

View reviewed changes

eahefnawy requested a review from dschep February 28, 2019 11:54

eahefnawy merged commit 0293040 into master Feb 28, 2019

eahefnawy deleted the wb-authorizers branch February 28, 2019 11:56

pmuens mentioned this pull request Mar 7, 2019

WebSocket Authenticator not mapped #5902

Closed

dschep added the enhancement label Apr 8, 2019

yareyaredesuyo mentioned this pull request Jun 24, 2019

Websocket dherault/serverless-offline#711

Merged

6 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added websockets authorizer support #5867

Added websockets authorizer support #5867

eahefnawy commented Feb 26, 2019 •

edited

Loading

dschep left a comment

Added websockets authorizer support #5867

Added websockets authorizer support #5867

Conversation

eahefnawy commented Feb 26, 2019 • edited Loading

What did you implement:

How did you implement it:

How can we verify it:

Todos:

dschep left a comment

Choose a reason for hiding this comment

eahefnawy commented Feb 26, 2019 •

edited

Loading