-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.ts
61 lines (53 loc) · 1.74 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import type {
APIGatewayAuthorizerResult,
APIGatewayTokenAuthorizerEvent,
PolicyDocument,
StatementEffect,
} from "aws-lambda";
import type { APIGatewayTokenAuthorizerHandler } from "aws-lambda/trigger/api-gateway-authorizer";
import { config } from "dotenv";
import { createRemoteJWKSet, jwtVerify } from "jose";
config();
const JWKS_URI = process.env.JWKS_URI;
const AUDIENCE = process.env.AUDIENCE;
const ISSUER = process.env.ISSUER;
export const handler: APIGatewayTokenAuthorizerHandler = async (
event: APIGatewayTokenAuthorizerEvent,
): Promise<APIGatewayAuthorizerResult> => {
const { authorizationToken, methodArn } = event;
if (!(JWKS_URI && AUDIENCE && ISSUER)) {
throw new Error("Misconfigured environment variables");
}
const JWKS = createRemoteJWKSet(new URL(JWKS_URI));
// Expecting the authorization token to be in the form <Bearer authToken>
const stringTokens = authorizationToken.split(" ");
if (stringTokens.length !== 2 || stringTokens[0] !== "Bearer") {
throw new Error("Invalid token format - does not match <Bearer authToken>");
}
const jwt = stringTokens[1];
try {
// Verify the access token
const jwtVerifyResult = await jwtVerify(jwt, JWKS, {
audience: process.env.AUDIENCE,
issuer: process.env.ISSUER,
});
return {
principalId: jwtVerifyResult.payload.sub ?? "unknown",
policyDocument: generatePolicyDocument(methodArn, "Allow"),
};
} catch (e) {
throw new Error("Unauthorized");
}
};
const generatePolicyDocument = (resource: string, effect: StatementEffect): PolicyDocument => {
return {
Version: "2012-10-17",
Statement: [
{
Action: "execute-api:Invoke",
Effect: effect,
Resource: resource,
},
],
};
};