예제 #1
0
        public AuthPolicy Authorize(TokenAuthorizerContext input, ILambdaContext context)
        {
            AuthPolicy        authPolicy;
            AuthPolicyBuilder policyBuilder;

            try
            {
                context.Logger.LogLine($"{nameof(input.AuthorizationToken)}: {input.AuthorizationToken}");
                context.Logger.LogLine($"{nameof(input.MethodArn)}: {input.MethodArn}");

                var principalId = "";
                var tokenArr    = input.AuthorizationToken?.Split(" ");
                var brearer     = tokenArr.FirstOrDefault().ToLower();
                var token       = tokenArr.LastOrDefault();

                if (brearer == "bearer" && !string.IsNullOrEmpty(token))
                {
                    principalId = JwtHandler.GetClaim(token);
                }

                if (!string.IsNullOrEmpty(principalId))
                {
                    policyBuilder = new AuthPolicyBuilder(principalId, null);
                    policyBuilder.AllowResources();
                }
                else
                {
                    policyBuilder = new AuthPolicyBuilder(principalId, null);
                    policyBuilder.DenyResources();
                }
                authPolicy = policyBuilder.Build();

                // additional context key-value pairs. "principalId" is implicitly passed in as a key-value pair
                // context values are  available by APIGW in : context.Authorizer.<key>
                //authPolicy.Context.Add("userName", "my-user-name");
                return(authPolicy);
            }
            catch (Exception ex)
            {
                context.Logger.LogLine(ex.ToString());
                if (ex is UnauthorizedException)
                {
                    policyBuilder = new AuthPolicyBuilder("", null);
                    policyBuilder.DenyResources();
                    authPolicy = policyBuilder.Build();
                    authPolicy.Context.Add("message", ex.Message);
                    return(authPolicy);

                    throw;
                }
                throw new UnauthorizedException();
            }
        }
예제 #2
0
        public AuthPolicy Authorizer(TokenAuthorizerContext input, ILambdaContext context)
        {
            try
            {
                // eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJnYXRld2F5SWQiOiJhMWZiNGRjOC0zY2Y2LTRlZTYtYmU1Zi03ZGI1ZjA3MDkxZDQiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.-WH60ifv_FTHbEkoU2TQgkHDpT9zgmQ1HzQDgqngGjA
                context.Logger.LogLine($"{nameof(input.AuthorizationToken)}: {input.AuthorizationToken}");
                // context.Logger.LogLine($"{nameof(input.MethodArn)}: {input.MethodArn}");

                // validate the incoming token
                // and produce the principal user identifier associated with the token
                string jwtSecret = "SECRET";
                string decodedJWT;
                try
                {
                    byte[] secretKey = Encoding.ASCII.GetBytes(jwtSecret);
                    decodedJWT = Jose.JWT.Decode(input.AuthorizationToken, secretKey);
                }
                catch (Exception ex)
                {
                    context.Logger.LogLine(ex.ToString());
                    throw new Exception("Bad token bro");
                }

                var pineappleJWT = System.Text.Json.JsonSerializer.Deserialize <PineappleJWTToken>(decodedJWT);

                // build apiOptions for the AuthPolicy
                var methodArn  = ApiGatewayArn.Parse(input.MethodArn);
                var apiOptions = new ApiOptions(methodArn.Region, methodArn.RestApiId, methodArn.Stage);

                // this function must generate a policy that is associated with the recognized principal user identifier.
                // depending on your use case, you might store policies in a DB, or generate them on the fly

                // keep in mind, the policy is cached for 5 minutes by default (TTL is configurable in the authorizer)
                // and will apply to subsequent calls to any method/resource in the RestApi
                // made with the same token

                // the example policy below denies access to all resources in the RestApi
                var policyBuilder = new AuthPolicyBuilder(pineappleJWT.gatewayId, methodArn.AwsAccountId, apiOptions);
                // policyBuilder.DenyAllMethods();
                policyBuilder.AllowAllMethods();
                // policyBuilder.AllowMethod(HttpVerb.GET, "/users/username");

                // finally, build the policy
                var authResponse = policyBuilder.Build();

                // new! -- add additional key-value pairs
                // these are made available by APIGW like so: $context.authorizer.<key>
                // additional context is cached
                authResponse.Context.Add("key", "value"); // $context.authorizer.key -> value
                authResponse.Context.Add("number", 1);
                authResponse.Context.Add("bool", true);

                return(authResponse);
            }
            catch (Exception ex)
            {
                if (ex is UnauthorizedException)
                {
                    throw;
                }

                // log the exception and return a 401
                context.Logger.LogLine(ex.ToString());
                throw new UnauthorizedException();
            }
        }