Feature Request: Cognito authorizer is not found when running sam local api

[andrybicio]

Description:

I have an API Gateway whose default authorizer is Cognito, except for an endpoint (in this example /hello [GET]). I want to be able to test the API Gateway using Postman and get the whole AWS Lambda flow, in order to have the best developer experience as if I were in the cloud.
However, endpoints seem to not be protected, even though I have set it properly. It indeed works in the cloud, and the template for this is the one below.

Steps to reproduce:

This is a part of my template.yml

  Api:
    Type: AWS::Serverless::Api
    Properties:
      StageName: dev
      Cors:
        AllowMethods: "'GET,POST,OPTIONS,DELETE,PUT,PATCH'"
        AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
        AllowOrigin: "'*'"
      Auth:
        DefaultAuthorizer: CognitoAuthorizer
        AddDefaultAuthorizerToCorsPreflight: false
        Authorizers:
          CognitoAuthorizer:
            UserPoolArn: !GetAtt UserPool.Arn

  # Lambda functions
  # Hello World function
  # NOT protected method (i.e., endpoint is public)
  HelloWorld:
    Type: AWS::Serverless::Function
    BuildMethod: nodejs18.x
    Properties:
      FunctionName: "helloWorld"
      Handler: ./dist/functions/api-gateway/hello-world/handler.handler
      CodeUri: .
      Runtime: nodejs18.x
      Events:
        Submit:
          Type: Api
          Properties:
            Path: /hello
            Method: get
            RestApiId: !Ref Api
            Auth:
              Authorizer: NONE

  # Print the context
  # Protected method
  PrintRequestContext:
    Type: AWS::Serverless::Function
    BuildMethod: nodejs18.x
    Properties:
      FunctionName: "printContext"
      Handler: ./dist/functions/api-gateway/print-request-context/handler.handler
      CodeUri: .
      Runtime: nodejs18.x
      Events:
        Submit:
          Type: Api
          Properties:
            Path: /info
            Method: get
            RestApiId: !Ref Api

Observed result:

The output for the command sam local start-api --env-vars local.json -p 3001 --debug

2023-05-08 12:58:50,557 | Config file location: /home/andrea/authentication-template/backend/samconfig.toml
2023-05-08 12:58:50,557 | Config file '/home/andrea/authentication-template/backend/samconfig.toml' does not exist
2023-05-08 12:58:50,627 | Using SAM Template at /home/andrea/authentication-template/backend/template.yml
2023-05-08 12:58:50,683 | Using config file: samconfig.toml, config environment: default
2023-05-08 12:58:50,683 | Expand command line arguments to:
2023-05-08 12:58:50,683 | --template_file=/home/andrea/authentication-template/backend/template.yml --env_vars=local.json --port=3001 --host=127.0.0.1 --static_dir=public --layer_cache_basedir=/home/andrea/.aws-sam/layers-pkg --container_host=localhost --container_host_interface=127.0.0.1 
2023-05-08 12:58:50,802 | local start-api command is called
2023-05-08 12:58:50,873 | No Parameters detected in the template
2023-05-08 12:58:50,915 | There is no customer defined id or cdk path defined for resource Api, so we will use the resource logical id as the resource id
2023-05-08 12:58:50,915 | There is no customer defined id or cdk path defined for resource HelloWorld, so we will use the resource logical id as the resource id
2023-05-08 12:58:50,915 | There is no customer defined id or cdk path defined for resource PrintRequestContext, so we will use the resource logical id as the resource id
2023-05-08 12:58:50,922 | 0 stacks found in the template
2023-05-08 12:58:50,922 | No Parameters detected in the template
2023-05-08 12:58:50,968 | There is no customer defined id or cdk path defined for resource Api, so we will use the resource logical id as the resource id
2023-05-08 12:58:50,968 | There is no customer defined id or cdk path defined for resource HelloWorld, so we will use the resource logical id as the resource id
2023-05-08 12:58:50,968 | There is no customer defined id or cdk path defined for resource PrintRequestContext, so we will use the resource logical id as the resource id
2023-05-08 12:58:50,981 | 25 resources found in the stack 
2023-05-08 12:58:50,981 | Found Serverless function with name='HelloWorld' and CodeUri='.'
2023-05-08 12:58:50,981 | --base-dir is not presented, adjusting uri . relative to /home/andrea/authentication-template/backend/template.yml
2023-05-08 12:58:50,981 | Found Serverless function with name='PrintRequestContext' and CodeUri='.'
2023-05-08 12:58:50,981 | --base-dir is not presented, adjusting uri . relative to /home/andrea/authentication-template/backend/template.yml
2023-05-08 12:58:50,985 | --base-dir is not presented, adjusting uri . relative to /home/andrea/authentication-template/backend/template.yml
2023-05-08 12:58:50,996 | Detected Inline Swagger definition
2023-05-08 12:58:50,997 | Parsing Swagger document using 2.0 specification
2023-05-08 12:58:50,997 | Lambda function integration not found in Swagger document at path='/hello' method='get'
2023-05-08 12:58:50,997 | Lambda function integration not found in Swagger document at path='/info' method='get'
2023-05-08 12:58:50,998 | Found '0' APIs in resource 'Api'
2023-05-08 12:58:50,998 | Found '0' authorizers in resource 'Api'
2023-05-08 12:58:50,998 | Authorizer 'CognitoAuthorizer' is currently unsupported (must be a Lambda Authorizer), skipping
2023-05-08 12:58:50,998 | Found '1' API Events in Serverless function with name 'HelloWorld'
2023-05-08 12:58:50,999 | Found '1' API Events in Serverless function with name 'PrintRequestContext'
2023-05-08 12:58:51,001 | Removed duplicates from '12' Explicit APIs and '0' Implicit APIs to produce '12' APIs
2023-05-08 12:58:51,002 | Linking authorizer skipped, route '/hello' is set to not use any authorizer.
2023-05-08 12:58:51,002 | Linking authorizer skipped for route '/info', authorizer 'None' is unsupported or not found
2023-05-08 12:58:51,004 | 12 APIs found in the template
2023-05-08 12:58:51,046 | Mounting PrintRequestContext at http://127.0.0.1:3001/info [GET, OPTIONS]
2023-05-08 12:58:51,047 | Mounting HelloWorld at http://127.0.0.1:3001/hello [GET, OPTIONS]
2023-05-08 12:58:51,047 | You can now browse to the above endpoints to invoke your functions. You do not need to restart/reload SAM CLI while working on your functions, changes will be reflected instantly/automatically. If you used sam build before running local commands, you will need to re-run sam build for the changes to be picked up. You only need to restart SAM CLI if you update your AWS SAM template
2023-05-08 12:58:51,047 | Localhost server is starting up. Multi-threading = True
 * Tip: There are .env or .flaskenv files present. Do "pip install python-dotenv" to use them.
2023-05-08 12:58:51 WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:3001
2023-05-08 12:58:51 Press CTRL+C to quit

Expected result:

I would expect that only the /hello endpoint could be triggered without any authorizer, whereas the /info should have in the header some sort of token as I would do if it were deployed.

Additional environment details

{
  "version": "1.82.0",
  "system": {
    "python": "3.7.10",
    "os": "Linux-5.15.90.1-microsoft-standard-WSL2-x86_64-with-debian-bullseye-sid"
  },
  "additional_dependencies": {
    "docker_engine": "23.0.5",
    "aws_cdk": "Not available",
    "terraform": "Not available"
  }
}

[hnnasit]

Hi @andrybicio, CognitoAuthorizer is currently not supported as mentioned in the command logs 2023-05-08 12:58:50,998 | Authorizer 'CognitoAuthorizer' is currently unsupported (must be a Lambda Authorizer), skipping. Marking this as a feature request.

[redpulp]

I second the Feature request! My only solution for testing locally is with a fallback user ID in my env vars, which is clumsy and has to be different for every developer

[scutta2000]

This would be very useful, as it is it's very hard to test anything cognito related locally

[lscown]

If I could amplify this as a feature request - it's very frustrating having to skip over authorisation when working and testing locally.

[lucashuy]

Would it be possible to utilize the sam sync command to test Cognito authorizers? This deploys the template to Cloudformation, and any Lambda code changes are synced quickly without having to perform the typical infrastructure changes seen in sam deploy.

[AllanOricil]

Any guidance on how to run APIs that use Cognito locally?

[marcosraul94]

Same here, seems a pretty necessary feature for any cognito + api gateway dev experience.