aws-apigw-authorizer - npm Package Compare versions

Comparing version 0.1.15 to 0.1.16

lib/authorizer.d.ts

@@ -1,5 +0,5 @@
-import * as AWSLambda from './lambda';
+import * as AWSLambda from 'aws-lambda';
 export declare type PolicyBuilderFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => AWSLambda.PolicyDocument | Promise<AWSLambda.PolicyDocument>;
 export declare type ContextBuilderFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => AWSLambda.AuthResponseContext | Promise<AWSLambda.AuthResponseContext> | void;
-export declare type CustomAuthChecksFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => void | Promise<void>;
+export declare type AuthChecksFunction = (event: AWSLambda.CustomAuthorizerEvent, principalId: string, decodedToken?: Jwt) => void | Promise<void>;
 export declare type PrincipalId = string;
@@ -10,3 +10,3 @@ export declare type JwtPrincipalIdSelectorFunction = (event: AWSLambda.CustomAuthorizerEvent, decodedToken?: Jwt) => PrincipalId | Promise<PrincipalId>;
     contextBuilder?: ContextBuilderFunction;
-    customAuthChecks?: CustomAuthChecksFunction;
+    AuthChecks?: AuthChecksFunction;
     jwtPrincipalIdSelectorFunction?: JwtPrincipalIdSelectorFunction;
@@ -18,3 +18,3 @@ }
     private contextBuilder;
-    private customAuthChecks;
+    private authChecks;
     private basicAuthenticationEnabled;
@@ -21,0 +21,0 @@ private jwtAuthenticationEnabled;

lib/authorizer.js

@@ -7,6 +7,2 @@ "use strict";
 const awsPolicyLib = require('./aws-policy-lib');
-// It is mandatory to set up ALLOWED_IP_ADDRESSES (0.0.0.0/0 is allowed)
-if (!process.env.ALLOWED_IP_ADDRESSES) {
-    throw new Error('Cannot accept any source IP as ALLOWED_IP_ADDRESSES has not been set');
-}
 class ApiGatewayAuthorizer {
@@ -19,3 +15,3 @@ constructor(authorizerConfig) {
         this.contextBuilder = authorizerConfig && authorizerConfig.contextBuilder || (() => undefined);
-        this.customAuthChecks = authorizerConfig && authorizerConfig.customAuthChecks || (() => undefined);
+        this.authChecks = authorizerConfig && authorizerConfig.AuthChecks || (() => undefined);
         this.principalIdSelectorFunction = authorizerConfig && authorizerConfig.jwtPrincipalIdSelectorFunction || defaultJwtPrincipalIdSelector;
@@ -38,5 +34,5 @@ // check environment for configured auth flavors
     async authorize(event, principalId, decodedToken, ...logMessages) {
-        await this.customAuthChecks(event, principalId, decodedToken);
+        await this.authChecks(event, principalId, decodedToken);
+        const context = await this.contextBuilder(event, principalId, decodedToken);
         const policy = await this.policyBuilder(event, principalId, decodedToken);
-        const context = await this.contextBuilder(event, principalId, decodedToken);
         if (context) {
@@ -64,4 +60,8 @@ Object.assign(policy, { context });
         const sourceIp = this.assertSourceIp(event);
+        // It is mandatory to set up ALLOWED_IP_ADDRESSES (0.0.0.0/0 is allowed)
+        if (!process.env.ALLOWED_IP_ADDRESSES) {
+            throw new Error('Cannot accept any source IP as ALLOWED_IP_ADDRESSES has not been set');
+        }
         // Sanity check: the callers sourceIp should be an allowed ip
-        if (process.env.ALLOWED_IP_ADDRESSES || ''
+        if (process.env.ALLOWED_IP_ADDRESSES
             .split(',')
@@ -132,12 +132,12 @@ .filter((ipRange) => ipRangeCheck(sourceIp, ipRange))
 function defaultJwtPrincipalIdSelector(_event, decodedToken) {
-    let principalId = 'Undeterminable Principal';
+    let principalId;
     if (decodedToken) {
         // Different identity providers put different claims on tokens
-        // Auth0 seems to always put the 'email' claim
+        // Auth0 seems to always include the 'email' claim
         // Microsoft seems to always put the e-mail address in 'upn' claim
         // Last resort  is the 'sub' claim which should mostly be present but contains an ID specific to the identity provider
-        principalId = decodedToken['email'] || decodedToken['upn'] || decodedToken['sub'] || principalId;
+        principalId = decodedToken['email'] || decodedToken['upn'] || decodedToken['sub'];
     }
-    return principalId;
+    return principalId || 'Undeterminable Principal';
 }
 //# sourceMappingURL=authorizer.js.map

lib/jwt-validator.js

@@ -17,5 +17,8 @@ "use strict";
 async function validate(jwtToken) {
-    const expectedAudience = process.env.AUDIENCE_URI || '';
-    const expectedIssuer = process.env.ISSUER_URI || '';
-    const jwksUri = process.env.JWKS_URI || '';
+    if (!process.env.AUDIENCE_URI || !process.env.ISSUER_URI || !process.env.JWKS_URI) {
+        throw new Error('JWT validator configuration incomplete. Need AUDIENCE_URI, ISSUER_URI, JWKS_URI');
+    }
+    const expectedAudience = process.env.AUDIENCE_URI;
+    const expectedIssuer = process.env.ISSUER_URI;
+    const jwksUri = process.env.JWKS_URI;
     const decodedJwtToken = jwt.decode(jwtToken, { complete: true });
@@ -22,0 +25,0 @@ if (!decodedJwtToken) {

package.json

 {
   "name": "aws-apigw-authorizer",
-  "version": "0.1.15",
+  "version": "0.1.16",
   "description": "AWS Lambda Authorizer for API Gateway",
   "keywords": [
-    "aws", "apigateway", "authorizer", "api", "gateway", "custom", "amazon"
+    "aws",
+    "apigateway",
+    "authorizer",
+    "api",
+    "gateway",
+    "custom",
+    "amazon"
   ],
@@ -29,2 +35,3 @@ "main": "lib/authorizer.js",
   "dependencies": {
+    "@types/aws-lambda": "^8.10.6",
     "basic-auth": "^2.0.0",
@@ -31,0 +38,0 @@ "ip-range-check": "0.0.2",

README.md

@@ -5,3 +5,3 @@ # AWS Lambda Authorizer for API Gateway
 
-https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
+(i.e. an implementation of this: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html)
 
@@ -12,6 +12,7 @@ <!-- TOC -->
 - [2. How to use](#2-how-to-use)
-    - [2.1. Custom Policy Builder](#21-custom-policy-builder)
-    - [2.2. Custom Context Builder](#22-custom-context-builder)
-    - [2.3. Custom Auth Checks](#23-custom-auth-checks)
-    - [2.4. Custom Determination of Principal ID](#24-custom-determination-of-principal-id)
+    - [2.1. Basic usage](#21-basic-usage)
+    - [2.2. Customize Policy Builder](#22-customize-policy-builder)
+    - [2.3. Customize Context Builder](#23-customize-context-builder)
+    - [2.4. Customize Auth Checks](#24-customize-auth-checks)
+    - [2.5. Customize Determination of principalId](#25-customize-determination-of-principalid)
 - [3. Supported Environment Variables:](#3-supported-environment-variables)
@@ -35,2 +36,4 @@ - [3.1. ALLOWED_IP_ADDRESSES](#31-allowed_ip_addresses)
 
+### 2.1. Basic usage
+
 Create a Lambda function in AWS using **Node 8.10** runtime and use the following code:
@@ -52,3 +55,3 @@
 
-### 2.1. Custom Policy Builder
+### 2.2. Customize Policy Builder
 
@@ -96,3 +99,3 @@ A custom function can be provided for building custom AWS IAM policies. The custom function will be called after succesfull authentication:
 
-### 2.2. Custom Context Builder
+### 2.3. Customize Context Builder
 
@@ -119,3 +122,3 @@ A custom function can be provided for setting the authorization context (https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html). The custom function will be called after succesfull authentication:
 
-### 2.3. Custom Auth Checks
+### 2.4. Customize Auth Checks
 
@@ -139,11 +142,11 @@ A custom function can be provided in which you can include your own checks. If you throw an error anywhere in that function the request will be denied (HTTP 401).
 
-### 2.4. Custom Determination of Principal ID
+### 2.5. Customize Determination of principalId
 
 If you want to take control of the determination of the principalId that is used in the AWS policy and cloudwatch logging, specify a custom JwtPrincipalIdSelectorFunction.
 
-This is only useful for JWT auth, because for Basic Authentication the username will always be used as principalId.
+This is only useful for JWT auth, because for Basic Authentication the username will be used as principalId.
 
 ```js
 // May return promise or synchronous result as below
-function customJwtPrincipalIdSelectorFunction(event, principal, decodedToken) {
+function customJwtPrincipalIdSelectorFunction(event, decodedToken) {
     return 'principalId of your liking';
@@ -177,3 +180,3 @@ }
 
-It is mandatory to explicitly specify which remote IP adresses/address rangers are allowed to access the API.
+It is mandatory to explicitly specify which remote IP adresses/address ranges are allowed to access the API.
 
@@ -180,0 +183,0 @@ ALLOWED_IP_ADDRESSES can be set to `0.0.0.0/0` for public access.

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 3 instances in 1 package

Fixed alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 2 instances in 1 package

Improved metrics

Number of lines in readme file

205

increased by1.49%

Worsened metrics

Total package byte prevSize

32481

decreased by-12%

Dependency count

6

increased by20%

Number of package files

10

decreased by-23.08%

Lines of code

512

decreased by-18.86%

Number of low supply chain risk alerts

20

increased by17.65%

Dependency changes

• + Added@types/aws-lambda@^8.10.6

• + Added@types/aws-lambda@8.10.137(transitive)