aws-apigw-authorizer
Advanced tools
Comparing version 0.1.15 to 0.1.16
@@ -1,5 +0,5 @@ | ||
import * as AWSLambda from './lambda'; | ||
import * as AWSLambda from 'aws-lambda'; | ||
export declare type PolicyBuilderFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => AWSLambda.PolicyDocument | Promise<AWSLambda.PolicyDocument>; | ||
export declare type ContextBuilderFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => AWSLambda.AuthResponseContext | Promise<AWSLambda.AuthResponseContext> | void; | ||
export declare type CustomAuthChecksFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => void | Promise<void>; | ||
export declare type AuthChecksFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => void | Promise<void>; | ||
export declare type PrincipalId = string; | ||
@@ -10,3 +10,3 @@ export declare type JwtPrincipalIdSelectorFunction = (event: AWSLambda.CustomAuthorizerEvent, decodedToken?: Jwt) => PrincipalId | Promise<PrincipalId>; | ||
contextBuilder?: ContextBuilderFunction; | ||
customAuthChecks?: CustomAuthChecksFunction; | ||
AuthChecks?: AuthChecksFunction; | ||
jwtPrincipalIdSelectorFunction?: JwtPrincipalIdSelectorFunction; | ||
@@ -18,3 +18,3 @@ } | ||
private contextBuilder; | ||
private customAuthChecks; | ||
private authChecks; | ||
private basicAuthenticationEnabled; | ||
@@ -21,0 +21,0 @@ private jwtAuthenticationEnabled; |
@@ -7,6 +7,2 @@ "use strict"; | ||
const awsPolicyLib = require('./aws-policy-lib'); | ||
// It is mandatory to set up ALLOWED_IP_ADDRESSES (0.0.0.0/0 is allowed) | ||
if (!process.env.ALLOWED_IP_ADDRESSES) { | ||
throw new Error('Cannot accept any source IP as ALLOWED_IP_ADDRESSES has not been set'); | ||
} | ||
class ApiGatewayAuthorizer { | ||
@@ -19,3 +15,3 @@ constructor(authorizerConfig) { | ||
this.contextBuilder = authorizerConfig && authorizerConfig.contextBuilder || (() => undefined); | ||
this.customAuthChecks = authorizerConfig && authorizerConfig.customAuthChecks || (() => undefined); | ||
this.authChecks = authorizerConfig && authorizerConfig.AuthChecks || (() => undefined); | ||
this.principalIdSelectorFunction = authorizerConfig && authorizerConfig.jwtPrincipalIdSelectorFunction || defaultJwtPrincipalIdSelector; | ||
@@ -38,5 +34,5 @@ // check environment for configured auth flavors | ||
async authorize(event, principalId, decodedToken, ...logMessages) { | ||
await this.customAuthChecks(event, principalId, decodedToken); | ||
await this.authChecks(event, principalId, decodedToken); | ||
const context = await this.contextBuilder(event, principalId, decodedToken); | ||
const policy = await this.policyBuilder(event, principalId, decodedToken); | ||
const context = await this.contextBuilder(event, principalId, decodedToken); | ||
if (context) { | ||
@@ -64,4 +60,8 @@ Object.assign(policy, { context }); | ||
const sourceIp = this.assertSourceIp(event); | ||
// It is mandatory to set up ALLOWED_IP_ADDRESSES (0.0.0.0/0 is allowed) | ||
if (!process.env.ALLOWED_IP_ADDRESSES) { | ||
throw new Error('Cannot accept any source IP as ALLOWED_IP_ADDRESSES has not been set'); | ||
} | ||
// Sanity check: the callers sourceIp should be an allowed ip | ||
if (process.env.ALLOWED_IP_ADDRESSES || '' | ||
if (process.env.ALLOWED_IP_ADDRESSES | ||
.split(',') | ||
@@ -132,12 +132,12 @@ .filter((ipRange) => ipRangeCheck(sourceIp, ipRange)) | ||
function defaultJwtPrincipalIdSelector(_event, decodedToken) { | ||
let principalId = 'Undeterminable Principal'; | ||
let principalId; | ||
if (decodedToken) { | ||
// Different identity providers put different claims on tokens | ||
// Auth0 seems to always put the 'email' claim | ||
// Auth0 seems to always include the 'email' claim | ||
// Microsoft seems to always put the e-mail address in 'upn' claim | ||
// Last resort is the 'sub' claim which should mostly be present but contains an ID specific to the identity provider | ||
principalId = decodedToken['email'] || decodedToken['upn'] || decodedToken['sub'] || principalId; | ||
principalId = decodedToken['email'] || decodedToken['upn'] || decodedToken['sub']; | ||
} | ||
return principalId; | ||
return principalId || 'Undeterminable Principal'; | ||
} | ||
//# sourceMappingURL=authorizer.js.map |
@@ -17,5 +17,8 @@ "use strict"; | ||
async function validate(jwtToken) { | ||
const expectedAudience = process.env.AUDIENCE_URI || ''; | ||
const expectedIssuer = process.env.ISSUER_URI || ''; | ||
const jwksUri = process.env.JWKS_URI || ''; | ||
if (!process.env.AUDIENCE_URI || !process.env.ISSUER_URI || !process.env.JWKS_URI) { | ||
throw new Error('JWT validator configuration incomplete. Need AUDIENCE_URI, ISSUER_URI, JWKS_URI'); | ||
} | ||
const expectedAudience = process.env.AUDIENCE_URI; | ||
const expectedIssuer = process.env.ISSUER_URI; | ||
const jwksUri = process.env.JWKS_URI; | ||
const decodedJwtToken = jwt.decode(jwtToken, { complete: true }); | ||
@@ -22,0 +25,0 @@ if (!decodedJwtToken) { |
{ | ||
"name": "aws-apigw-authorizer", | ||
"version": "0.1.15", | ||
"version": "0.1.16", | ||
"description": "AWS Lambda Authorizer for API Gateway", | ||
"keywords": [ | ||
"aws", "apigateway", "authorizer", "api", "gateway", "custom", "amazon" | ||
"aws", | ||
"apigateway", | ||
"authorizer", | ||
"api", | ||
"gateway", | ||
"custom", | ||
"amazon" | ||
], | ||
@@ -29,2 +35,3 @@ "main": "lib/authorizer.js", | ||
"dependencies": { | ||
"@types/aws-lambda": "^8.10.6", | ||
"basic-auth": "^2.0.0", | ||
@@ -31,0 +38,0 @@ "ip-range-check": "0.0.2", |
@@ -5,3 +5,3 @@ # AWS Lambda Authorizer for API Gateway | ||
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html | ||
(i.e. an implementation of this: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html) | ||
@@ -12,6 +12,7 @@ <!-- TOC --> | ||
- [2. How to use](#2-how-to-use) | ||
- [2.1. Custom Policy Builder](#21-custom-policy-builder) | ||
- [2.2. Custom Context Builder](#22-custom-context-builder) | ||
- [2.3. Custom Auth Checks](#23-custom-auth-checks) | ||
- [2.4. Custom Determination of Principal ID](#24-custom-determination-of-principal-id) | ||
- [2.1. Basic usage](#21-basic-usage) | ||
- [2.2. Customize Policy Builder](#22-customize-policy-builder) | ||
- [2.3. Customize Context Builder](#23-customize-context-builder) | ||
- [2.4. Customize Auth Checks](#24-customize-auth-checks) | ||
- [2.5. Customize Determination of principalId](#25-customize-determination-of-principalid) | ||
- [3. Supported Environment Variables:](#3-supported-environment-variables) | ||
@@ -35,2 +36,4 @@ - [3.1. ALLOWED_IP_ADDRESSES](#31-allowed_ip_addresses) | ||
### 2.1. Basic usage | ||
Create a Lambda function in AWS using **Node 8.10** runtime and use the following code: | ||
@@ -52,3 +55,3 @@ | ||
### 2.1. Custom Policy Builder | ||
### 2.2. Customize Policy Builder | ||
@@ -96,3 +99,3 @@ A custom function can be provided for building custom AWS IAM policies. The custom function will be called after succesfull authentication: | ||
### 2.2. Custom Context Builder | ||
### 2.3. Customize Context Builder | ||
@@ -119,3 +122,3 @@ A custom function can be provided for setting the authorization context (https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html). The custom function will be called after succesfull authentication: | ||
### 2.3. Custom Auth Checks | ||
### 2.4. Customize Auth Checks | ||
@@ -139,11 +142,11 @@ A custom function can be provided in which you can include your own checks. If you throw an error anywhere in that function the request will be denied (HTTP 401). | ||
### 2.4. Custom Determination of Principal ID | ||
### 2.5. Customize Determination of principalId | ||
If you want to take control of the determination of the principalId that is used in the AWS policy and cloudwatch logging, specify a custom JwtPrincipalIdSelectorFunction. | ||
This is only useful for JWT auth, because for Basic Authentication the username will always be used as principalId. | ||
This is only useful for JWT auth, because for Basic Authentication the username will be used as principalId. | ||
```js | ||
// May return promise or synchronous result as below | ||
function customJwtPrincipalIdSelectorFunction(event, principal, decodedToken) { | ||
function customJwtPrincipalIdSelectorFunction(event, decodedToken) { | ||
return 'principalId of your liking'; | ||
@@ -177,3 +180,3 @@ } | ||
It is mandatory to explicitly specify which remote IP adresses/address rangers are allowed to access the API. | ||
It is mandatory to explicitly specify which remote IP adresses/address ranges are allowed to access the API. | ||
@@ -180,0 +183,0 @@ ALLOWED_IP_ADDRESSES can be set to `0.0.0.0/0` for public access. |
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 3 instances in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 2 instances in 1 package
205
32481
6
10
512
20
+ Added@types/aws-lambda@^8.10.6
+ Added@types/aws-lambda@8.10.137(transitive)