search

mantil-io / mantil

Build your AWS Lambda-based Go backends quicker than ever
https://www.mantil.com
MIT License
110 stars 3 forks source link

Fix backend authorization #38

Closed ianic closed 2 years ago

ianic commented 2 years ago

When authorization is enabled, sometimes requests like data and security fail with a 500 error. This causes the cli to hang because it is waiting for logs.

djelusic commented 2 years ago

This is related to authorizer caching. Usually we create a new token for each request using this method: https://github.com/mantil-io/mantil/blob/46823b28d010925c055fd174b05d96fa871c30fe/cli/cmd/project/context.go#L186

Since the claims are always the same (just the workspace name) we might end up generating the same token for two subsequent requests if they are close enough together. Then the second request will fail because the cached policy grants access to a different method.

I'll fix this by adding a Method field to the access token claims so that two requests to different backend methods never use the same token.

ianic commented 2 years ago

Aaa to se rjesava konfiguracijom idenetity sources

When caching is enabled for an authorizer, API Gateway uses the authorizer's identity sources as the cache key. If a client specifies the same parameters in identity sources within the configured TTL, API Gateway uses the cached authorizer result, rather than invoking your Lambda function.

Trenutno je u identity sources samo: $request.header.Authorization Dodas jos i query string.

djelusic commented 2 years ago

Igrao sam se malo s ovim, pokusao sam dodati identity source koji ce razlikovati metodu i to radi ocekivano. Ali sad sam primijetio jos jedan problem. Svaki put kada request za autorizaciju koristi cache dobijem 500 error. Jedina dodatna informacija koju sam uspio izvuci je iz api gateway access logova, dobijem ovako nesto:

{
    "requestId": "HGQeGiXZliAEPSw=",
    "ip": "93.142.91.220",
    "requestTime": "12/Oct/2021:13:57:46 +0000",
    "httpMethod": "POST",
    "routeKey": "POST /deploy",
    "status": "500",
    "protocol": "HTTP/1.1",
    "responseLength": "35",
    "authError": "The response from the Lambda Authorizer function doesn't match the format that API Gateway expects. Invalid json in authorizer response"
}

Pitam se kako moze cachirani response imati krivi json format ako je originalno prosao... Ne znam koliko ovo ima smisla dalje istrazivati, trenutno se cachiranje jako rijetko koristi jer jwt tokene stalno rekreiramo. Opcija je skroz iskljuciti cachiranje.

ianic commented 2 years ago

Method ne moze ici u authorization token. Autoriziram nekoga u neku rolu. Ovo je specijalni slucaj da autoriziram sam sebe. Ali kada autoriziram nekog drugog napravim mu token i posaljem, on ga koristi neko vrijeme. Dajem mu jedan token po accountu. Zato metoda ne moze ici unutra.

djelusic commented 2 years ago

Revertao sam ove promjene i ugasio cachiranje na autorizaciji. Otvorio sam novi issue za to.