From 74eee1e5b8fa404dde129f001b986d615f435c73 Mon Sep 17 00:00:00 2001
From: Kaizen Conroy <36202692+kaizen3031593@users.noreply.github.com>
Date: Fri, 7 Jan 2022 17:55:35 -0500
Subject: [PATCH] fix(apigatewayv2-authorizers): incorrect `identitySource`
 default for `WebSocketLambdaAuthorizer` (#18315)

We introduced `WebSocketLambdaAuthorizer` in #16886 with an incorrect default `identitySource`, according to these [docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-authorizer.html#cfn-apigatewayv2-authorizer-identitysource). The result is that using the default `identitySource` results in a deploy-time failure.

This PR fixes the error and adds documentation for the syntax for all `identitySource` possibilities.

I can confirm that this default successfully passes `cdk deploy` on my local app.

Fixes #18307.

BREAKING CHANGE: `WebSocketLambdaAuthorizerProps.identitySource` default changes from `['$request.header.Authorization']` to `['route.request.header.Authorization']`.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../aws-apigatewayv2-authorizers/lib/websocket/lambda.ts  | 8 ++++++--
 .../test/websocket/lambda.test.ts                         | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/lambda.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/lambda.ts
index 2e60cbdd7b547..8b5b5c6d3fc43 100644
--- a/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/lambda.ts
+++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/lambda.ts
@@ -28,7 +28,11 @@ export interface WebSocketLambdaAuthorizerProps {
   /**
    * The identity source for which authorization is requested.
    *
-   * @default ['$request.header.Authorization']
+   * Request parameter match `'route.request.querystring|header.[a-zA-z0-9._-]+'`.
+   * Staged variable match `'stageVariables.[a-zA-Z0-9._-]+'`.
+   * Context parameter match `'context.[a-zA-Z0-9._-]+'`.
+   *
+   * @default ['route.request.header.Authorization']
    */
   readonly identitySource?: string[];
 }
@@ -56,7 +60,7 @@ export class WebSocketLambdaAuthorizer implements IWebSocketRouteAuthorizer {
       this.authorizer = new WebSocketAuthorizer(options.scope, this.id, {
         webSocketApi: options.route.webSocketApi,
         identitySource: this.props.identitySource ?? [
-          '$request.header.Authorization',
+          'route.request.header.Authorization',
         ],
         type: WebSocketAuthorizerType.LAMBDA,
         authorizerName: this.props.authorizerName ?? this.id,
diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/lambda.test.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/lambda.test.ts
index c171247801911..8a62d5731ac58 100644
--- a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/lambda.test.ts
+++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/lambda.test.ts
@@ -35,7 +35,7 @@ describe('WebSocketLambdaAuthorizer', () => {
       Name: 'default-authorizer',
       AuthorizerType: 'REQUEST',
       IdentitySource: [
-        '$request.header.Authorization',
+        'route.request.header.Authorization',
       ],
     });