Custom Authorizer HowTo

[cspeer]

Hi there,

I'm using a custom authorizer and it works great when deployed to lambda and API Gateway, but serverless-offline never invokes my authorizer. So, my question is whether there is more configuration work to be done on my part or whether you could provide a simple walk-through of how to make serverless-offline respect a custom authorizer :)

Thanks a lot, Chris

[dherault]

Hi @cspeer, I did not write the code for that feature but I'll keep this issue open as a reminder whenever I decide to refactor this plugin and re-write the readme. In the meanwhile, maybe @johncmckim and #47 can help you.

[cspeer]

Thanks @dherault , it would really be great if you @johncmckim could take a look at this :)

[johncmckim]

@cspeer without being able to see your config it's hard to know what's going wrong. The custom authorizer implementation does have some limitations that are outlined in the README.

Have you tried running serverless offline with the --debugOffline flag? It should give you more details about what is happening.

[cspeer]

Fair enough. Here is my authorizer:

{
  "name": "secure",
  "runtime": "nodejs4.3",
  "description": "Serverless Lambda function for project: Atameo",
  "customName": false,
  "customRole": false,
  "handler": "secure/handler.handler",
  "timeout": 6,
  "memorySize": 1024,
  "authorizer": {
    "type": "TOKEN",
    "identitySource": "method.request.header.Authorization",
    "authorizerResultTtlInSeconds": "300"
  },
  "custom": {
    "excludePatterns": []
  },
  "endpoints": [],
  "events": [],
  "environment": "$${default-environment}",
  "vpc": {
    "securityGroupIds": [],
    "subnetIds": []
  }
}

and here it is in action:

"endpoints": [
    {
      "path": "Traveller",
      "method": "POST",
      "type": "AWS",
      "authorizationType": "custom",
      "authorizerFunction": "secure",
      "apiKeyRequired": false,
      "requestParameters": {},
      "requestTemplates": "$${rest-post}",
      "responses": "$${default-response}"
    }
  ]

[johncmckim]

@cspeer I would say this line of code is your issue if (endpoint.authorizationType === 'CUSTOM') {

In all the examples I have seen the endpoint had an authorizationType or CUSTOM. I've never seen it lower case before. I would suggest changing your endpoint to use CUSTOM for now.

@dherault do you think it the check should be case insensitive?

[dherault]

@johncmckim Yes it would be ok, unless it doesn't work when deploying :)

[cspeer]

@johncmckim nice catch! That was exactly it. However, during my research I came across custom as well as CUSTOM so I figured it wouldn't matter. Maybe it does matter. Deploying however @dherault works both ways, no error whether it's all lower or upper case.