Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(apigatewayv2): Allow to set Lambda authorizer for WebSocket API #13869

Closed
1 of 2 tasks
tmokmss opened this issue Mar 30, 2021 · 8 comments · Fixed by #16886
Closed
1 of 2 tasks

(apigatewayv2): Allow to set Lambda authorizer for WebSocket API #13869

tmokmss opened this issue Mar 30, 2021 · 8 comments · Fixed by #16886
Labels
@aws-cdk/aws-apigatewayv2-authorizers Related to aws-apigatewayv2-authorizers package @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@tmokmss
Copy link
Contributor

tmokmss commented Mar 30, 2021

Please allow us to set a Lambda authorizer for a WebSocket API.
Currently we cannot set it because there's no interface for it.

Use Case

Restrict access to a WebSocket API by cognito auth or other auth method.

Proposed Solution

Setting an authorizer for a WebSocket API is simple.
You must only set authorizationType and authorizerId when creating a CfnRoute to $connect
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-route.html

Because you can only set authorizer for $connect route.

And there's only one authorizer type; LambdaAuthorizer.

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

@tmokmss tmokmss added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Mar 30, 2021
@github-actions github-actions bot added @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 @aws-cdk/aws-lambda Related to AWS Lambda labels Mar 30, 2021
@nija-at nija-at added @aws-cdk/aws-apigatewayv2-authorizers Related to aws-apigatewayv2-authorizers package effort/medium Medium work item – several days of effort p2 and removed @aws-cdk/aws-lambda Related to AWS Lambda @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 needs-triage This issue or PR still needs to be triaged. labels Apr 13, 2021
@nija-at
Copy link
Contributor

nija-at commented Apr 13, 2021

We are unassigning and marking this issue as p2, which means that we are unable to work on this immediately.
We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

@nija-at
Copy link
Contributor

nija-at commented Apr 13, 2021

Originally posted by @michaelgmcd in #14085 (comment)

I was able to get to to work with a patch:

const wsApi = new WebSocketApi(stack, 'wsApi', {
    routeSelectionExpression: '$request.body.action',
    disconnectRouteOptions: {
      integration: new LambdaWebSocketIntegration({
        handler: lambdas.wsDisconnect,
      }),
    },
    defaultRouteOptions: {
      integration: new LambdaWebSocketIntegration({
        handler: lambdas.wsDefault,
      }),
    },
  });

  new WebSocketStage(stack, 'wsStage', {
    webSocketApi: wsApi,
    stageName: 'ws',
    autoDeploy: true,
    domainMapping: { domainName: wsDomainName },
  });

  const wsAuthorizer = new CfnAuthorizer(stack, 'WSAuthorizer', {
    name: 'wsAuthorizer',
    apiId: wsApi.apiId,
    authorizerType: 'REQUEST',
    authorizerUri: `arn:aws:apigateway:${constants.region}:lambda:path/2015-03-31/functions/${lambdas.wsAuth.functionArn}/invocations`,
    identitySource: ['route.request.querystring.token'],
  });

  wsApi.addRoute('$connect', {
    // @ts-ignore
    authorizerId: wsAuthorizer.ref,
    authorizationType: 'CUSTOM',
    integration: new LambdaWebSocketIntegration({
      handler: lambdas.wsConnect,
    }),
  });

node_modules/@aws-cdk/aws-apigatewayv2/lib/websocket/route.js

class WebSocketRoute extends core_1.Resource {
    /**
     * @experimental
     */
    constructor(scope, id, props) {
        super(scope, id);
        this.webSocketApi = props.webSocketApi;
        this.routeKey = props.routeKey;
        const config = props.integration.bind({
            route: this,
            scope: this,
        });
        const integration = props.webSocketApi._addIntegration(this, config);
        const route = new apigatewayv2_generated_1.CfnRoute(this, 'Resource', {
            apiId: props.webSocketApi.apiId,
            routeKey: props.routeKey,
            target: `integrations/${integration.integrationId}`,
            authorizerId: props.authorizerId, // <========================== Added this
            authorizationType: props.authorizationType, // <=================== Added this
        });
        this.routeId = route.ref;
    }
}

@tmokmss
Copy link
Contributor Author

tmokmss commented Apr 14, 2021

Also there is a sample for adding Lambda authorizer to a WebSocket API written in TypeScript.
https://github.com/aws-samples/websocket-api-cognito-auth-sample/blob/main/cdk/lib/construct/websocket.ts

@fr-an-k
Copy link

fr-an-k commented Oct 9, 2021

+1

@nija-at nija-at removed their assignment Nov 25, 2021
@mergify mergify bot closed this as completed in #16886 Dec 14, 2021
mergify bot pushed a commit that referenced this issue Dec 14, 2021
closes #13869

By this PR, you will be able to enable WebSocket authorizer as the below code:

```ts
    const integration = new LambdaWebSocketIntegration({
      handler,
    });
    const authorizer = new WebSocketLambdaAuthorizer('Authorizer', authHandler);
    new WebSocketApi(stack, 'WebSocketApi', {
      connectRouteOptions: {
        integration,
        authorizer,
      },
    });
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
closes aws#13869

By this PR, you will be able to enable WebSocket authorizer as the below code:

```ts
    const integration = new LambdaWebSocketIntegration({
      handler,
    });
    const authorizer = new WebSocketLambdaAuthorizer('Authorizer', authHandler);
    new WebSocketApi(stack, 'WebSocketApi', {
      connectRouteOptions: {
        integration,
        authorizer,
      },
    });
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@wakeupmh
Copy link

@tmokmss @nija-at Did u have an example using an user pool and authorizerType with cognito?

@tmokmss
Copy link
Contributor Author

tmokmss commented Dec 20, 2022

@wakeupmh
Hi, here's an example for that. https://github.com/aws-samples/websocket-api-cognito-auth-sample/tree/main/cdk

You have to create a Lambda function to verify JWTs (implementation is very simple thanks to aws-jwt-veryfy lib), and use the function as a Lambda authorizer.

@wakeupmh
Copy link

@tmokmss in my case I translated to use L1 constructs anyway everything works fine, thanks a lot by your attention

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-apigatewayv2-authorizers Related to aws-apigatewayv2-authorizers package @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants