我有这个 listUsers 函数,它与 cognito 授权者完美配合,但现在我将其更改为 lambda 授权者,并且它返回状态 500 错误。
来自我的 serverless.yml:
provider:
httpApi:
cors: true
authorizers:
customAuthorizer:
type: request
functionName: custom-authorizer
functions:
custom-authorizer:
handler: authorizer.handler
listUsers:
handler: src/users/index.listUsersHandler
events:
- httpApi:
path: /users
method: get
authorizer: customAuthorizer
还有我的authorizer.js:
const { CognitoJwtVerifier } = require('aws-jwt-verify');
const Cognito = require('../shared/Cognito');
module.exports.handler = async (event) => {
const authHeader = event.headers.authorization;
if (!authHeader) {
console.log('No auth header');
return {
isAuthorized: false,
};
}
const token = authHeader.split(' ')[1];
console.log(token);
const verifier = CognitoJwtVerifier.create({
userPoolId: Cognito.UserPoolId,
tokenUse: 'access',
clientId: Cognito.ClientId,
});
let payload = null;
try {
payload = await verifier.verify(token);
console.log('Token is valid. Payload:', payload);
return {
isAuthorized: true,
};
} catch {
console.log('Token is invalid.');
return { isAuthorized: false };
}
};
当我向 /users 发出 GET 请求时,它会正确重定向到我的自定义授权方,并且在日志中我可以看到令牌有效并且存在正确的有效负载,但它从未运行实际的 listUsers 函数,在邮递员中我只是得到:
{
"message": "Internal Server Error"
}
非常感谢您的宝贵时间,这是我第一次在论坛上提问。
编辑: 以下是云观看日志:
INIT_START Runtime Version: nodejs:18.v15 Runtime Version ARN: arn:aws:lambda:sa-east-1::runtime:8ed78fdc4678dbafe30d2afe48bcfb27097048de7858a6fbbba5d19fdc3419db
START
2023-10-24 12:01:07.875 INFO eyJraWQiOiJWdXRrSTVnUlpMckFRUWxuUmI4Sk5LcUdRbkV1dWRTWW1iUzNWN1pQZW80PSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJmZjIwNGNiYS0zZDJhLTQ2MDEtYmNmMi1lMDEyNTUxMTAwNTciLCJjb2duaXRvOmdyb3VwcyI6WyJhZG1pbiJdLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuc2EtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3NhLWVhc3QtMV9tWGljY2lWTHYiLCJjbGllbnRfaWQiOiIzbWoxMDYzMDg0N3U1bTJtY3FwdmN1YjJqaSIsIm9yaWdpbl9qdGkiOiJlYWEyMDE0MC1mZTQ5LTRhODYtOWZlNi00YjBiM2FiYmQxNjUiLCJldmVudF9pZCI6ImMzODg5Zjk1LTgxNzItNDFjMS05YzM1LWY1MjkxZmFhOTNmNyIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4iLCJhdXRoX3RpbWUiOjE2OTgxNTk2MzksImV4cCI6MTY5ODE3NzYzOSwiaWF0IjoxNjk4MTU5NjM5LCJqdGkiOiI3NzFkMjE2YS01ZWI1LTQyNTctODhmYy1hYWI1NmI0ZGJhZmYiLCJ1c2VybmFtZSI6Im1haWwxQG1haWwuY29tIn0.WyxEXlr_4wkiC4PnPzjzoGRu2eJmWAnH7qyGDG9CVZtmwi8-U1KoN_zrybig51E_evkHxmb4kqJyci1QBizi1JBPMDw175f6y9Zm_gZOh3ieM5XpjPKzuy_AEeZpOsGuglf6_LOnPw4fdG16ka-_nIprYVzpD_2A1_-mjdUahbXB2T_4qUgxKdxPD8LFOL6G7TIjNlYBd89vwkUBylP_OjqwMbEv5xj04N8Q3N1MND0UzawL-FBkfJpCRlIp9W15lhU25IY-dyMMKsFNkoNKgiRahpD33j20kMj5RZL_Y9x1lM5RTSKLZyguQM5M0ZxVaX7o53ehbb2aKAvxZguYTw
2023-10-24 12:01:07.953 INFO Token is valid. Payload: {
sub: 'ff204cba-3d2a-4601-bcf2-e01255110057',
'cognito:groups': [ 'admin' ],
iss: 'https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_mXicciVLv',
client_id: '3mj10630847u5m2mcqpvcub2ji',
origin_jti: 'eaa20140-fe49-4a86-9fe6-4b0b3abbd165',
event_id: 'c3889f95-8172-41c1-9c35-f5291faa93f7',
token_use: 'access',
scope: 'aws.cognito.signin.user.admin',
auth_time: 1698159639,
exp: 1698177639,
iat: 1698159639,
jti: '771d216a-5eb5-4257-88fc-aab56b4dbaff',
username: '[email protected]'
}
SERVERLESS_TELEMETRY.TZ.H4sIAAAAAAAAA62STWsTURSGG4VUZiWRKs6qxGwauJP7PXcUQcVikCKiQcSF5cz9aCedzMTcaVIrRUG6VOhCcF38Mbr1L/gPxJUgOG3B0lW6kLO5cBbv87znBq+DjnKKYmYpEqmWiAuMEaSMIog5tlgrCkKFbQ15nu1UJYJxhoydIr3tq3KEYLvaLCfZrp10URDe8XYytZPcet+DmUc5jFIDyJut1iKOiIgID5tFaezQh98awTKFWLhYWcrBam40MEmpUI4Zhi3BrrUMNAVDiEqUBa6MAkhjrBRPtHYYa9MO6pzoJGfl5f7PR+rKwTXyoS/3jx437WEzPWyuB80dJdclv9y4dw6Thx0qDReSaVRzqLqTVNSdaI0cFo6mhmBg5sViZ+3uYPXpYNwIP9UuWBGlUsU01cTF2ErGnDQJ4wkRacLJfJdwbh/t66e2UVZkVQZ5tgtVVhan8p+Xnuwdyy+EBzUXoUZaoRNHYjDSORwby5kEILKOBfVfuJbOcE1LfcL08eqtt2cPshD+qpnqcMqUFFaDsglNBIttPbGmxirg57h7ONer3Tr6aNFmVY19NLGvtq2vVu7/vv3uGOjPlx/vj4Hc96YOLj5YHbQu9QeDxz0SkfCGLjfqckuUmXHkAVnwFSIRjGC3LI5MdTlqd3v/Nuuj55nW2bO1aS+a2TxHW0U5K3rD2ZaPhr4s+l8b3Qtv9v4CgoZAM24DAAA=
END Duration: 120.84 ms (init: 959.38 ms) Memory Used: 116 MB
Lambda 授权者的预期输出本质上是主体标识符和策略文档:
AllowDenyexecute-api:Invoke您的 Lambda 授权者响应不正确,这就是您收到内部服务器错误的原因:
return {isAuthorized: true};
作为一个很好的起点,使用
methodArnevent) 上的
event.methodArn 属性作为资源。这是调用者请求的方法的 ARN,由 AWS 提供。
此方法将返回最小但正确的授权者响应:
function generatePolicy(principalId, effect, resource) {
return {
principalId,
policyDocument: {
Version: '2012-10-17',
Statement: [{
Action: 'execute-api:Invoke',
Effect: effect,
Resource: resource
}]
}
};
}
用途:
const authHeader = event.headers.authorization;
if (!authHeader) {
console.log('No auth header');
return generatePolicy('user', 'Deny', event.methodArn);
}
...
try {
const payload = await verifier.verify(token);
return generatePolicy('user', 'Allow', event.methodArn);
} catch {
return generatePolicy('user', 'Deny', event.methodArn);
}