无服务器框架 - Lambda 函数与 Authorizer COGNITO_USER_POOLS 总是 return "Unauthorized"
Serverless framework - Lambda function with Authorizer COGNITO_USER_POOLS always return "Unauthorized"
我不知道我的授权有什么问题。
我有一个 Hello 函数,它只有 returns 一条简单的静态消息。如果我在没有设置 "Authorizer" 的情况下进行部署,它会起作用。我已经在 Postman 上测试过了。当我尝试添加 Authorizer 时,问题就开始了。
我的 Cognito 已完全正常工作。在我的前端,我可以注册,然后登录,然后从此登录会话获取令牌。
当我去 Postman 测试时,我总是得到 "unauthorized" 作为答案。
在 Postman 上,我测试了 GET 方法,在 "Headers" 选项卡上,我添加了 "Authorization" 属性,并在值上粘贴了我从登录会话中获得的令牌。我还在一些地方推荐的前缀 "bearer" 的值字段上测试了这个。没有成功。
过去一周我一直在尝试解决这个问题。拜托,任何帮助都将非常有用。
serverless.yml
provider:
name: aws
runtime: nodejs10.x
stage: dev
region: eu-west-1
environment:
MY_TABLE: ${self:custom.myStage}_${self:custom.settings.tb_items}
MY_STAGE: ${self:custom.myStage}
MY_DOMAIN: ${self:custom.myDomain}
iamRoleStatements:
- Effect: "Allow"
Action:
- "dynamodb:GetItem"
- "dynamodb:PutItem"
- "dynamodb:UpdateItem"
- "dynamodb:DeleteItem"
- "dynamodb:Scan"
Resource: "*"
functions:
hello:
handler: ${self:custom.pathFunc}/phraseOption.hello
events:
- http:
method: GET
path: hello
cors: true
integration: lambda-proxy
authorizer:
type: COGNITO_USER_POOLS
authorizerId:
Ref: ApiGatewayAuthorizer
resources:
Resources:
CognitoUserPool:
Type: "AWS::Cognito::UserPool"
DeletionPolicy: Retain
Properties:
MfaConfiguration: OFF
UserPoolName: ${self:custom.myStage}_aePool
EmailVerificationSubject: 'Your verification Code'
EmailVerificationMessage: 'Use this code to confirm your sign up {####}'
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: False
RequireNumbers: False
RequireSymbols: False
RequireUppercase: False
CognitoUserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
DeletionPolicy: Retain
Properties:
ClientName: ${self:custom.myStage}_aePoolClient
GenerateSecret: False
UserPoolId:
Ref: CognitoUserPool
ApiGatewayAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
Name: CognitoUserPool
Type: COGNITO_USER_POOLS
IdentitySource: method.request.header.Authorization
RestApiId:
Ref: ApiGatewayRestApi
ProviderARNs:
- Fn::GetAtt:
- CognitoUserPool
- Arn
phraseOptions.js
module.exports.hello = (event, context, callback) => {
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'Your function executed successfully!',
input: event,
}),
};
callback(null, response);
};
I can see the function was created with the correct Auth:
Also Authorizer create as expected (I guess)
Swagger
---
swagger: "2.0"
info:
version: "2019-10-07T21:24:17Z"
title: "XXXXXX"
host: "XXXXXX"
basePath: "/dev"
schemes:
- "https"
paths:
/getPhrase:
get:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
/hello:
get:
responses: {}
security:
- CognitoUserPool: []
/item:
post:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
/item/{itemId}:
get:
responses: {}
put:
responses: {}
delete:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
/items:
get:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
securityDefinitions:
CognitoUserPool:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "cognito_user_pools"
我知道哪里出了问题!
服务器端正常。在 Postman 上测试它的问题是令牌。
我使用的是 "cognitoUser.signInUserSession.accessToken.jwtToken",但应该是 "cognitoUser.signInUserSession.idToken.jwtToken"。
现在一切正常。
我不知道我的授权有什么问题。
我有一个 Hello 函数,它只有 returns 一条简单的静态消息。如果我在没有设置 "Authorizer" 的情况下进行部署,它会起作用。我已经在 Postman 上测试过了。当我尝试添加 Authorizer 时,问题就开始了。
我的 Cognito 已完全正常工作。在我的前端,我可以注册,然后登录,然后从此登录会话获取令牌。
当我去 Postman 测试时,我总是得到 "unauthorized" 作为答案。 在 Postman 上,我测试了 GET 方法,在 "Headers" 选项卡上,我添加了 "Authorization" 属性,并在值上粘贴了我从登录会话中获得的令牌。我还在一些地方推荐的前缀 "bearer" 的值字段上测试了这个。没有成功。
过去一周我一直在尝试解决这个问题。拜托,任何帮助都将非常有用。
serverless.yml
provider:
name: aws
runtime: nodejs10.x
stage: dev
region: eu-west-1
environment:
MY_TABLE: ${self:custom.myStage}_${self:custom.settings.tb_items}
MY_STAGE: ${self:custom.myStage}
MY_DOMAIN: ${self:custom.myDomain}
iamRoleStatements:
- Effect: "Allow"
Action:
- "dynamodb:GetItem"
- "dynamodb:PutItem"
- "dynamodb:UpdateItem"
- "dynamodb:DeleteItem"
- "dynamodb:Scan"
Resource: "*"
functions:
hello:
handler: ${self:custom.pathFunc}/phraseOption.hello
events:
- http:
method: GET
path: hello
cors: true
integration: lambda-proxy
authorizer:
type: COGNITO_USER_POOLS
authorizerId:
Ref: ApiGatewayAuthorizer
resources:
Resources:
CognitoUserPool:
Type: "AWS::Cognito::UserPool"
DeletionPolicy: Retain
Properties:
MfaConfiguration: OFF
UserPoolName: ${self:custom.myStage}_aePool
EmailVerificationSubject: 'Your verification Code'
EmailVerificationMessage: 'Use this code to confirm your sign up {####}'
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: False
RequireNumbers: False
RequireSymbols: False
RequireUppercase: False
CognitoUserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
DeletionPolicy: Retain
Properties:
ClientName: ${self:custom.myStage}_aePoolClient
GenerateSecret: False
UserPoolId:
Ref: CognitoUserPool
ApiGatewayAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
Name: CognitoUserPool
Type: COGNITO_USER_POOLS
IdentitySource: method.request.header.Authorization
RestApiId:
Ref: ApiGatewayRestApi
ProviderARNs:
- Fn::GetAtt:
- CognitoUserPool
- Arn
phraseOptions.js
module.exports.hello = (event, context, callback) => {
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'Your function executed successfully!',
input: event,
}),
};
callback(null, response);
};
I can see the function was created with the correct Auth:
Also Authorizer create as expected (I guess)
Swagger
---
swagger: "2.0"
info:
version: "2019-10-07T21:24:17Z"
title: "XXXXXX"
host: "XXXXXX"
basePath: "/dev"
schemes:
- "https"
paths:
/getPhrase:
get:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
/hello:
get:
responses: {}
security:
- CognitoUserPool: []
/item:
post:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
/item/{itemId}:
get:
responses: {}
put:
responses: {}
delete:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
/items:
get:
responses: {}
options:
consumes:
- "application/json"
produces:
- "application/json"
responses:
200:
description: "200 response"
headers:
Access-Control-Allow-Origin:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Credentials:
type: "string"
Access-Control-Allow-Headers:
type: "string"
securityDefinitions:
CognitoUserPool:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "cognito_user_pools"
我知道哪里出了问题!
服务器端正常。在 Postman 上测试它的问题是令牌。 我使用的是 "cognitoUser.signInUserSession.accessToken.jwtToken",但应该是 "cognitoUser.signInUserSession.idToken.jwtToken"。
现在一切正常。