Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 01 2016 23:48
    @gojko banned @codepreneur
Slobodan Stojanović
@stojanovic
If your custom authorizer is denying the request, you'll need to add Gateway Responses to API Gateway to add CORS headers for failed requests
Slobodan Stojanović
@stojanovic
Claudia will not set that out of the box for you. You can add that using the Web Console or AWS SDK/CLI
Bill Hainaut
@billhainaut
yes, but when I do, the next claudia build wipes it out.
Bill Hainaut
@billhainaut
do you have an aws cli example I can follow for setting API Gateway CORS headers?
Slobodan Stojanović
@stojanovic
Ah, ok, then I guess you'll need to do that in post deploy hook. Or we might be able to add that to Claudia if you have time to send PR ( @gojko what do you think? ). Unfortunately I'll not have time to do that in next two weeks for sure, but we can probably help with PR.
this is post deploy hook: https://github.com/claudiajs/example-projects/blob/master/web-api-postdeploy/web.js#L12
I'll check for the example for aws cli or sdk
And you probably need to set ACCESS_DENIED and DEFAULT_4xx
Gojko Adzic
@gojko
@stojanovic @billhainaut post-deploy would not work in this case, because it's done after the stage is deployed; we would need to add something similar to that, but execute it between lines 306 and 307 in rebuildWebApi (so between republishing and redeployment)
we could add a predeploy hook, for example
Slobodan Stojanović
@stojanovic
Or simply add support for gateway responses, I guess. But you are right, doing this in postDeploy hook will result in an error between deployment and adding gateway responses
Bill Hainaut
@billhainaut
It looks as if I could set api.customResponses() to a set of values needed, without changing any of what is in rebuild-web-api.js. Does that sound accurate?
this snippet looks promising:
api.setGatewayResponse('DEFAULT_4XX', {
responseParameters: {
'gatewayresponse.header.x-response-claudia': '\'yes\'',
'gatewayresponse.header.x-name': 'method.request.header.name',
'gatewayresponse.header.Access-Control-Allow-Origin': '\'a.b.c\'',
'gatewayresponse.header.Content-Type': '\'application/json\''
},
statusCode: 411,
responseTemplates: {
'application/json': '{"custom": true, "message":$context.error.messageString}'
}
});
Gojko Adzic
@gojko
@billhainaut if you need to set the CORS options for 403, that would be a good way of setting it. it won‘t deal with CORS on other generic methods, but it may be enough for your case
Bill Hainaut
@billhainaut
SOLVED!!!! That snippet of code solved my problem. Now, when the custom authorizer denies entry, I get EXACTLY the kind of message back that I'm looking for!
"User is not authorized to access this resource with an explicit deny" is the message I get back from the Authorizer......PERFECT!
james-s-turner
@james-s-turner
Hi - just wondering if there is any support for setting multivalueHeaders in ApiBuilder.ApiResponse? https://aws.amazon.com/blogs/compute/support-for-multi-value-parameters-in-amazon-api-gateway/
Gojko Adzic
@gojko
You can get the original API Request object from request.proxyRequest, and then read out the multivalue headers from multiValueQueryStringParameters
Or just set the request type to AWS_PROXY when initialising the API, then you don’t even need the .proxyRequest delegation, the request object will contain the raw API request directly
james-s-turner
@james-s-turner
@gojko many thanks
hackerunet
@hackerunet
hello it's been awhile
I have a quesiton
question
is claudia supporting the --vpc-config parameter?
hackerunet
@hackerunet
how can I pass vpc configurations ?
Colin Dellow
@cldellow

Using Claudia API Builder, can we specify a default authorizer? ATM I'm using a custom authorizer (which works great!) but I need to specify it for each API, eg:

api.get('/foo', ..., { customAuthorizer: 'authFn' });
api.get('/bar', ..., { customAuthorizer: 'authFn' });

This is a bit error prone, I'd prefer if I could do something like:

const api = new ApiBuilder({customAuthorizer: 'authFn'});
api.get('/foo', ...);
api.get('/bar', ...);

But that doesn't seem possible. Still digging in to the source, though, hoping I just missed something!

Colin Dellow
@cldellow
Looking at https://github.com/claudiajs/claudia-api-builder/blob/8b529b05cb3dcaed2b7914279934c91a5457dc60/src/api-builder.js#L270-L285, I don't think it's possible, although it'd be relatively easy to monkey patch all the api.verb functions to insert a default value if no options are provided, so I think I'll go that route
Gojko Adzic
@gojko
@cldellow it’s not possible out of the box at the moment, but I’d probably monkey patch it
Colin Dellow
@cldellow
awesome, thanks for the confirmation! (and thanks for claudiajs!)
hackerunet
@hackerunet
anyone can help me find out how to pass the vpc specs to claudia to pick up subnets and vpc please?
I cannot see the information in the API documentation
sorry
--security-group-ids: (optional) A comma-delimited list of AWS VPC Security Group IDs, which the function will be able to access. Note: these security groups need to be part of the same VPC as the subnets provided with --subnet-ids.
For example: sg-1234abcd
the question, those params are available only when the lambda function is created?
Bill Hainaut
@billhainaut

I'm trying to implement api.intercept(gatekeeper.public.isAllowed);
and gatekeeper.public.isAllowed simply does a throw 'see if this gets to the client';
I get no responseJSON on the client.

How do I get the interceptor output to go to the client
P.S. I also tried returning a rejected promise, to no avail

jcc42
@jcc42
I know CORS is not a method in which to secure an API but that said why does the resource still execute. If I'm restricting CORS origin and I call /helloworld the cors origin check happens but the helloworld resource continues regardless of the origin being allowed or not. I thought CORS origin as was pre-flight check
Slobodan Stojanović
@stojanovic
Are you accessing /helloworld from the browser?
jcc42
@jcc42
Yes and perhaps I'm seeing things because I'm now not seeing a response in the browser. Could have sworn the browser still got a response payload from /helloworld when it shouldn't have so never mind I guess :-)
Slobodan Stojanović
@stojanovic
Maybe it was a caching issue
Anyway, if it happens again, check the headers on both OPTIONS and GET method
Problem is probably there. Also, if you are not sending any of the custom headers, preflight is not required for simple GET calls
Bill Hainaut
@billhainaut
Can anybody help me with api.intercept???
Gojko Adzic
@gojko
@billhainaut to return an error response from an interceptor, and stop without executing the request, override the response by returning an ApiResponse object (with full CORS headers if needed)
interceptor executes before any other claudia processing, so cors headers etc would not be attached if you just throw an error
Bill Hainaut
@billhainaut
I worked around this by simply having the error modify the request to a new path when an error was found. The path was a GET that knew how to return the error text to the client.
something this simple:
var modifiedRequest = request;
if (isPersonAllowedToUseThisRoute(request) === false) {
  request.context.path = '/v5/errorhandler';
  request.queryString = { errorMessage: 'sumpin really bad' };
}
return modifiedRequest;
Do you have a node.js example of creating an ApiResponse object with an appropriate error in the response?