Cognito query string authorizer results in a CloudFormation template error.
Closed this issue · 3 comments
Checklist
- Upgrade Jets: Are you using the latest version of Jets? This allows Jets to fix issues fast. There's a
jets upgrade
command that makes this a simple task. There's also an Upgrading Guide: http://rubyonjets.com/docs/upgrading/ - Reproducibility: Are you reporting a bug others will be able to reproduce and not asking a question. If you're unsure or want to ask a question, do so on https://community.boltops.com
- Code sample: Have you put together a code sample to reproduce the issue and make it available? Code samples help speed up fixes dramatically. If it's an easily reproducible issue, then code samples are not needed. If you're unsure, please include a code sample.
My Environment
Software | Version |
---|---|
Operating System | MacOs 12.0.1 |
Jets | 3.1.1 |
Ruby | MRI 2.7.2p137 |
Expected Behaviour
Current Behavior
Using a Cognito query string authorizer with token request type results in a CloudFormation template error.
Step-by-step reproduction instructions
- Create an example Cognito authorizer as described in the docs: https://rubyonjets.com/docs/routing/authorizers/authorizer-cognito
- Change the example authorizer to use a query string
identity_source
and typerequest
class MainAuthorizer < ApplicationAuthorizer
authorizer \
name: "MyCognito",
identity_source: "method.request.querystring.jwt",
type: :request,
provider_arns: [
"arn:aws:cognito-idp:eu-west-2:123:userpool/eu-west-ABC"
]
end
- Create an example controller:
jets generate controller posts index
- Use the example Cognito query string authorizer
class PostsController < ApplicationController
authorizer "main#my_cognito"
def index
end
end
- Deploy jets app
jets deploy
Result: Error deploying stack.
Deploying CloudFormation stack with jets app!
ERROR: Template error: instance of Fn::GetAtt references undefined resource MainAuthorizer
The Jets application failed to deploy. Jets creates a few CloudFormation stacks to deploy your application.
The logs above show the CloudFormation parent stack events and points to the stack with the error.
Please go to the CloudFormation console and look for the specific stack with the error.
The specific child stack usually shows more detailed information and can be used to resolve the issue.
Example of checking the CloudFormation console: https://rubyonjets.com/docs/debugging/cloudformation/
Code Sample
See above.
Solution Suggestion
Do I need to add more configuration or is this a jets bug? 🤷
@tongueroo Is anyone working on this ? If not I can pick this up.
@sharmaansh21 Go for it!
Dug into this.
CloudFormation reports this error:
Resource handler returned message: "Invalid token source expression: method.request.querystring.jwt. The source must be a method request header, matching 'method.request.header.[a-zA-Z0-9._-]+' (Service: ApiGateway, Status Code: 400, Request ID: b717f299-1065-4bfd-835b-027c0dae9afb)" (RequestToken: 729be631-7794-10f3-2fb4-d646ee35f9a2, HandlerErrorCode: AlreadyExists)
It seems like we cannot use method.request.querystring
for the identity source for Cognito Pools.
- AWS::ApiGateway::Authorizer CloudFormation Docs: The docs are not really precise about this, but that's the behavior.
Doesn't Work:
Tested with Cognito User Pool and method.request.querystring
does not work.
app/authorizers/main_authorizer.rb
class MainAuthorizer < ApplicationAuthorizer
authorizer(
name: "MyCognito", # <= name is used as the "function" name
# identity_source: "Authorization", # maps to method.request.header.Authorization
identity_source: "method.request.querystring.jwt", # DOESNT WORK
type: :cognito_user_pools,
provider_arns: [
"arn:aws:cognito-idp:us-west-2:112233445566:userpool/us-west-2_DbXaf8jP7",
],
)
# no lambda function on purpose
end
Works
Tested with Lambda based authorizer and method.request.querystring
does work.
app/authorizers/main_authorizer.rb
class MainAuthorizer < ApplicationAuthorizer
authorizer(
name: "MyAuthorizer",
identity_source: "method.request.querystring.jwt", # WORKS
type: :request, # valid values: token, cognito_user_pools, request. Jets upcases internally.
)
def protect
method_arn = event[:methodArn] # IE: arn:aws:execute-api:us-west-2:112233445566:f0ivxw7nkl/dev/GET/posts
build_policy(method_arn, "current_user")
end
end
Believe this is a Cognito restriction. Closing this out.