public AuthPolicy Authorize(TokenAuthorizerContext input, ILambdaContext context)
{
AuthPolicy authPolicy;
AuthPolicyBuilder policyBuilder;
try
{
context.Logger.LogLine($"{nameof(input.AuthorizationToken)}: {input.AuthorizationToken}");
context.Logger.LogLine($"{nameof(input.MethodArn)}: {input.MethodArn}");
var principalId = "";
var tokenArr = input.AuthorizationToken?.Split(" ");
var brearer = tokenArr.FirstOrDefault().ToLower();
var token = tokenArr.LastOrDefault();
if (brearer == "bearer" && !string.IsNullOrEmpty(token))
{
principalId = JwtHandler.GetClaim(token);
}
if (!string.IsNullOrEmpty(principalId))
{
policyBuilder = new AuthPolicyBuilder(principalId, null);
policyBuilder.AllowResources();
}
else
{
policyBuilder = new AuthPolicyBuilder(principalId, null);
policyBuilder.DenyResources();
}
authPolicy = policyBuilder.Build();
// additional context key-value pairs. "principalId" is implicitly passed in as a key-value pair
// context values are available by APIGW in : context.Authorizer.<key>
//authPolicy.Context.Add("userName", "my-user-name");
return(authPolicy);
}
catch (Exception ex)
{
context.Logger.LogLine(ex.ToString());
if (ex is UnauthorizedException)
{
policyBuilder = new AuthPolicyBuilder("", null);
policyBuilder.DenyResources();
authPolicy = policyBuilder.Build();
authPolicy.Context.Add("message", ex.Message);
return(authPolicy);
throw;
}
throw new UnauthorizedException();
}
}
public AuthPolicy Authorizer(TokenAuthorizerContext input, ILambdaContext context)
{
try
{
// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJnYXRld2F5SWQiOiJhMWZiNGRjOC0zY2Y2LTRlZTYtYmU1Zi03ZGI1ZjA3MDkxZDQiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.-WH60ifv_FTHbEkoU2TQgkHDpT9zgmQ1HzQDgqngGjA
context.Logger.LogLine($"{nameof(input.AuthorizationToken)}: {input.AuthorizationToken}");
// context.Logger.LogLine($"{nameof(input.MethodArn)}: {input.MethodArn}");
// validate the incoming token
// and produce the principal user identifier associated with the token
string jwtSecret = "SECRET";
string decodedJWT;
try
{
byte[] secretKey = Encoding.ASCII.GetBytes(jwtSecret);
decodedJWT = Jose.JWT.Decode(input.AuthorizationToken, secretKey);
}
catch (Exception ex)
{
context.Logger.LogLine(ex.ToString());
throw new Exception("Bad token bro");
}
var pineappleJWT = System.Text.Json.JsonSerializer.Deserialize <PineappleJWTToken>(decodedJWT);
// build apiOptions for the AuthPolicy
var methodArn = ApiGatewayArn.Parse(input.MethodArn);
var apiOptions = new ApiOptions(methodArn.Region, methodArn.RestApiId, methodArn.Stage);
// this function must generate a policy that is associated with the recognized principal user identifier.
// depending on your use case, you might store policies in a DB, or generate them on the fly
// keep in mind, the policy is cached for 5 minutes by default (TTL is configurable in the authorizer)
// and will apply to subsequent calls to any method/resource in the RestApi
// made with the same token
// the example policy below denies access to all resources in the RestApi
var policyBuilder = new AuthPolicyBuilder(pineappleJWT.gatewayId, methodArn.AwsAccountId, apiOptions);
// policyBuilder.DenyAllMethods();
policyBuilder.AllowAllMethods();
// policyBuilder.AllowMethod(HttpVerb.GET, "/users/username");
// finally, build the policy
var authResponse = policyBuilder.Build();
// new! -- add additional key-value pairs
// these are made available by APIGW like so: $context.authorizer.<key>
// additional context is cached
authResponse.Context.Add("key", "value"); // $context.authorizer.key -> value
authResponse.Context.Add("number", 1);
authResponse.Context.Add("bool", true);
return(authResponse);
}
catch (Exception ex)
{
if (ex is UnauthorizedException)
{
throw;
}
// log the exception and return a 401
context.Logger.LogLine(ex.ToString());
throw new UnauthorizedException();
}
}