Closed ianic closed 2 years ago
This is related to authorizer caching. Usually we create a new token for each request using this method: https://github.com/mantil-io/mantil/blob/46823b28d010925c055fd174b05d96fa871c30fe/cli/cmd/project/context.go#L186
Since the claims are always the same (just the workspace name) we might end up generating the same token for two subsequent requests if they are close enough together. Then the second request will fail because the cached policy grants access to a different method.
I'll fix this by adding a Method
field to the access token claims so that two requests to different backend methods never use the same token.
Aaa to se rjesava konfiguracijom idenetity sources
When caching is enabled for an authorizer, API Gateway uses the authorizer's identity sources as the cache key. If a client specifies the same parameters in identity sources within the configured TTL, API Gateway uses the cached authorizer result, rather than invoking your Lambda function.
Trenutno je u identity sources samo: $request.header.Authorization Dodas jos i query string.
Igrao sam se malo s ovim, pokusao sam dodati identity source koji ce razlikovati metodu i to radi ocekivano. Ali sad sam primijetio jos jedan problem. Svaki put kada request za autorizaciju koristi cache dobijem 500 error. Jedina dodatna informacija koju sam uspio izvuci je iz api gateway access logova, dobijem ovako nesto:
{
"requestId": "HGQeGiXZliAEPSw=",
"ip": "93.142.91.220",
"requestTime": "12/Oct/2021:13:57:46 +0000",
"httpMethod": "POST",
"routeKey": "POST /deploy",
"status": "500",
"protocol": "HTTP/1.1",
"responseLength": "35",
"authError": "The response from the Lambda Authorizer function doesn't match the format that API Gateway expects. Invalid json in authorizer response"
}
Pitam se kako moze cachirani response imati krivi json format ako je originalno prosao... Ne znam koliko ovo ima smisla dalje istrazivati, trenutno se cachiranje jako rijetko koristi jer jwt tokene stalno rekreiramo. Opcija je skroz iskljuciti cachiranje.
Method ne moze ici u authorization token. Autoriziram nekoga u neku rolu. Ovo je specijalni slucaj da autoriziram sam sebe. Ali kada autoriziram nekog drugog napravim mu token i posaljem, on ga koristi neko vrijeme. Dajem mu jedan token po accountu. Zato metoda ne moze ici unutra.
When authorization is enabled, sometimes requests like
data
andsecurity
fail with a 500 error. This causes the cli to hang because it is waiting for logs.