search

dherault / serverless-offline

Emulate AWS λ and API Gateway locally when developing your Serverless project
MIT License
5.19k stars 796 forks source link

REST API authorizer validation only allows for one identitySource header #1674

Open kevinhankens opened 1 year ago

kevinhankens commented 1 year ago

Bug Report

Greetings! I have found that when validating REST API authorizers it only allows for one identitySource header. For caching, multiple headers are allowed.

According to the REST API docs:

In this case, your identitySource could contain multiple entries for your policy cache.

Current Behavior

Using something like the following will fail to start:

    events:
      - http:
          path: api/v1/endpoint
          method: post
          authorizer:
            name: custom-authorizer
            type: request
            resultTtlInSeconds: 3600
            identitySource: method.request.header.Authorization, method.request.header.AnotherHeader

Errors with:

Error: Serverless Offline only supports retrieving tokens from headers and querystring parameters (λ: custom-authorizer)

Sample Code

Here's a link to the code

Expected behavior/code

The above example should start offline.

Environment

Possible Solution

diff --git src/events/http/createAuthScheme.js src/events/http/createAuthScheme.js
index 71b56a70..37447aa0 100644
--- src/events/http/createAuthScheme.js
+++ src/events/http/createAuthScheme.js
@@ -270,7 +270,8 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
     authorizerOptions.type !== 'request' ||
     authorizerOptions.identitySource
   ) {
-    const headerRegExp = /^(method.|\$)request.header.((?:\w+-?)+\w+)$/
+    // Only validate the first of N possible headers.
+    const headerRegExp = /^(method.|\$)request.header.((?:\w+-?)+\w+).*$/
     const queryStringRegExp =
       /^(method.|\$)request.querystring.((?:\w+-?)+\w+)$/

Additional context/Screenshots

kevinhankens commented 1 year ago

Greetings! Any chance of taking a look at this and the accompanying PR? We currently have to use a odd workflow to patch this for local development. Would be really helpful to get some movement on this. Thanks in advance!

kevinhankens commented 1 year ago

Hello again 😉 Kindly asking for assistance with this one.

EhsanSepehriNasab commented 9 months ago

Amazing Work @kevinhankens! Thanks for fixing this.

I think this issue should be closed now. For someone who has this issue in serverless offline: You could fix this problem in a tricky way like adding the isOffline variable to your environment and passing only one header to identifysource. 


 identitySource: conf(GlobalConfig, 'IS_OFFLINE', false)
              ? 'method.request.header.x-api-key'
              : 'method.request.header.x-api-key, method.request.header.x-secret-key',