I'm using an external lambda authorizer on APIGateway and returning some user info in the context that will be consumed by my api. I'm using the context_header_mappings setting to pass the user_id from the gateway authorizer to the api in the apigw_user_id header. The APIGW authorizer function is more used just for authentication and could potentially return None as the value for apigw_user_id and it would be up to the view to decide whether an authenticated user is required. However, if I deliberately make a request with an unauthtenticated user, but manually supply a apigw_user_id header, that header is passed straight to my function essentially bypassing the authorizer.
Expected Behavior
Headers defined in context_header_mappings should always override manually passed headers if the Authorizer supplies a value for them ( even if the value is None )
Actual Behavior
If an Authorizer returns None for a context variable, then the value from any HTTP header matching that name is used instead.
Create an external lambda authorizer function returning the authenticated user id ( or None ) in a context variable
Attach the authorizer to a zappa deployed function
Include context_header_mappings in zappa_settings.json mapping the apigw context variable to an HTTP header
Make a curl request to the deployed api, omitting any Authorization tokens required by the gateway, but include the header mapped from the context variable
The mapped header is passed directly to the function, overriding whatever the gateway has returned
Note - I'm just using zappa to package my function and manually deploying to an existing gateway with the authorizer function attached using the AWS console.
Context
I'm using an external lambda authorizer on APIGateway and returning some user info in the context that will be consumed by my api. I'm using the context_header_mappings setting to pass the user_id from the gateway authorizer to the api in the
apigw_user_id
header. The APIGW authorizer function is more used just for authentication and could potentially return None as the value forapigw_user_id
and it would be up to the view to decide whether an authenticated user is required. However, if I deliberately make a request with an unauthtenticated user, but manually supply aapigw_user_id
header, that header is passed straight to my function essentially bypassing the authorizer.Expected Behavior
Headers defined in
context_header_mappings
should always override manually passed headers if the Authorizer supplies a value for them ( even if the value is None )Actual Behavior
If an Authorizer returns None for a context variable, then the value from any HTTP header matching that name is used instead.
Possible Fix
Alter function here: https://github.com/Miserlou/Zappa/blob/6ab48b0db4ce1679935a36a63d44b4fca183632b/zappa/wsgi.py#L46 to favour values passed from the APIGW Authorizer context over any value passed in the original header.
Steps to Reproduce
Your Environment
pip freeze
:zappa_settings.py
: