search

dherault / serverless-offline

Emulate AWS λ and API Gateway locally when developing your Serverless project
MIT License
5.2k stars 793 forks source link

feat: request authorizers with null identitySource should return 401 #1618

Closed rion18 closed 1 year ago

rion18 commented 1 year ago

Description

According to the official Amazon docs, whenever you set a request authorizer with a specific identity source, such as $request.header.Authorization, and a request comes WITHOUT this identity source, then API Gateway responds with a 401 Unauthorized error.

Motivation and Context

Currently, when doing a request to a function that has an Authorizer attached to it, if the identitySource is not present on the request, then serverless-offline responds with an error 500. I've made the change so it returns a 401 instead.

How Has This Been Tested?

The request-authorizers suite of tests have been updated with a new test case per describe block (this change applies to payload format 1.0, 2.0 with simple response, with headers/query params).

We previously had a test with description should fail with an Unauthorized error. Now, we have TWO tests, one with description should fail with an Unauthorized error when identity source is explicitly not handled and another one with should fail with an Unauthorized error when identity source is not present on the request.

dnalborczyk commented 1 year ago

thank you again @rion18 !! much appreciated!

rion18 commented 1 year ago

My pleasure.

kohanian commented 1 year ago

@rion18 thanks for fixing this!