[x] Create a new service, called authorization-service, with its own serverless.yml file at the same level as product and import services.
[x] The backend project structure should look like:
backend-repository/product-service
backend-repository/import-service
backend-repository/authorization-service
[x] Create basicAuthorizer lambda function in authorization service in serverless.yml file. This lambda should have at least one environment variable with credentials: {yours_github_account_login}=TEST_PASSWORD
[x] basicAuthorizer lambda should take Basic authorization_token, decode it and check that credentials provided by token exist in the lambda environment variable.
[x] This lambda should return 403 HTTP status if access is denied for this user (invalid authorization_token) and 401 HTTP status if Authorization header is not provided.
[x] Use .env file and serverless-dotenv-plugin serverless plugin to add environment variables to the lambda. Add .env file to .gitignore file.
Task 7.2
[x] Add Lambda authorization (basicAuthorizer lambda) to the /import path of the import-service API Gateway.
Task 7.3
[x] Request from the client application to the /import path of the import-service should have Basic Authorization header: Authorization: Basic authorization_token where authorization_token is equal base64-encoded({yours_github_account_login}:TEST_PASSWORD) (For example, Authorization: Basic sGLzdRxvZmw0ZXs0UGFzcw==) Client should get authorization_token value from browser localStorage
Self-Check
Main Tasks
[x] authorization-service is added to the repo, has correct basicAuthorizer lambda and correct serverless.yaml file
[x] import-service serverless.yaml file has authorizer configuration for the importProductsFile lambda. Request to the importProductsFile lambda should work only with correct authorization_token being decoded and checked by basicAuthorizer lambda. Response should be in 403 HTTP status if access is denied for this user (invalid authorization_token) and in 401 HTTP status if Authorization header is not provided.
[x] update client application to send Authorization: Basic authorization_token header on import. Client should get authorization_token value from browser localStorage https://developer.mozilla.org/ru/docs/Web/API/Window/localStorage authorization_token = localStorage.getItem('authorization_token')
Score for main tasks: 5/5
Additional (optional) tasks
[x] Client application should display alerts for the responses in 401 and 403 HTTP statuses. This behavior should be added to the nodejs-aws-fe-main/src/index.tsx file
[ ] just practice, no evaluation - Add Login page and protect getProducts lambda by the Cognito Authorizer
Create Cognito User Pool using a demo from the lecture. Leave email in a list of standard required attributes. Checkbox Allow users to sign themselves up should be checked. Also, set email as an attribute that you want to verify.
Add App Client to the User Pool
In the App client settings section select all Identity Providers. Fill the Callback URL(s) field with your Client Application URL (f.e. http://localhost:3000/). Allow only Implicit grant OAuth Flow. Allow all OAuth Scopes
Create Domain name
After all of these manipulations, you can open your login page by clicking on the Launch Hosted UI link in the App client settings
Provide this link to your reviewers. The reviewer can just confirm that everything works for him too.
Add Cognito authorizer to the getProducts lambda. Use Authorization as a Token Source
How to make sure that everything works as expected:
Open login page and Sign up a new user. Use a real email address to create this user
Verify user using code from the email
After verification and after every login you will be redirected to the Client application. URL should contain id_token which can be used to access the getProducts lambda
Call getProducts lambda using id_token as a value for the Authorization header
Remove authorization from the getProducts after your task will be checked
title,description,price,count
"Ветчина HAME Славянская, 340г","Ветчина HAME Славянская – это продукт, приготовленный на основе натуральных ингредиентов",670,2
"Блинчики SИБИРСКАЯ КОЛЛЕКЦИЯ с мясом, 800г","Блинчики SИБИРСКАЯ КОЛЛЕКЦИЯ с мясом, 800 г – аппетитный продукт из первосортной говядины и нежнейшего теста",613,122
"Бекон Венгерский ВЕЛКОМ варено-копченый, 500г","Удивите гостей вкусной закуской",263,134
"Колбаса из фанеры","Колбаса из фанеры не так уж и плоха на вкус как можно подумать",300,111
"Сыр Ромашка","Сделан не из ромашек",999,99
"Ещё что-нибудь?","Да, не помешает",12,2
Task Definition
Task definition from https://github.com/rolling-scopes-school/nodejs-aws-tasks/blob/main/task7-lambda%2Bcognito-authorization/task.md
Task 7.1
Task 7.2
Task 7.3
Self-Check
Main Tasks
Score for main tasks: 5/5
Additional (optional) tasks
Score for additional tasks: 1/1
Total score: 6/6
URLs
How to check FE App integration with API
Poducts CSV data sample
App FE testing steps (suggestion)
Test HTTP 200 response
authorization_tokento correct valueTest HTTP 403 response (Wrong credentials)
authorization_tokenwith this command:Test HTTP 401 response (auth token absent)