Cognito query string authorizer results in a CloudFormation template error.

Question

Cognito query string authorizer results in a CloudFormation template error.

Closed this issue a year ago · 3 comments

Checklist

Upgrade Jets: Are you using the latest version of Jets? This allows Jets to fix issues fast. There's a jets upgrade command that makes this a simple task. There's also an Upgrading Guide: http://rubyonjets.com/docs/upgrading/
Reproducibility: Are you reporting a bug others will be able to reproduce and not asking a question. If you're unsure or want to ask a question, do so on https://community.boltops.com
Code sample: Have you put together a code sample to reproduce the issue and make it available? Code samples help speed up fixes dramatically. If it's an easily reproducible issue, then code samples are not needed. If you're unsure, please include a code sample.

My Environment

Software	Version
Operating System	MacOs 12.0.1
Jets	3.1.1
Ruby	MRI 2.7.2p137

Expected Behaviour

Current Behavior

Using a Cognito query string authorizer with token request type results in a CloudFormation template error.

Step-by-step reproduction instructions

Create an example Cognito authorizer as described in the docs: https://rubyonjets.com/docs/routing/authorizers/authorizer-cognito
Change the example authorizer to use a query string identity_source and type request

class MainAuthorizer < ApplicationAuthorizer
  authorizer \
    name: "MyCognito",
    identity_source: "method.request.querystring.jwt",
    type: :request,
    provider_arns: [
      "arn:aws:cognito-idp:eu-west-2:123:userpool/eu-west-ABC"
    ]
end

Create an example controller: jets generate controller posts index
Use the example Cognito query string authorizer

class PostsController < ApplicationController
  authorizer "main#my_cognito"

  def index
  end
end

Deploy jets app jets deploy

Result: Error deploying stack.

   Deploying CloudFormation stack with jets app!
ERROR: Template error: instance of Fn::GetAtt references undefined resource MainAuthorizer
The Jets application failed to deploy. Jets creates a few CloudFormation stacks to deploy your application.
The logs above show the CloudFormation parent stack events and points to the stack with the error.
Please go to the CloudFormation console and look for the specific stack with the error.
The specific child stack usually shows more detailed information and can be used to resolve the issue.
Example of checking the CloudFormation console: https://rubyonjets.com/docs/debugging/cloudformation/

Code Sample

See above.

Solution Suggestion

Do I need to add more configuration or is this a jets bug? 🤷

Answer 1 · 2023-01-27T16:17:35.000Z

@tongueroo Is anyone working on this ? If not I can pick this up.

Answer 2 · 2023-01-27T16:26:38.000Z

@sharmaansh21 Go for it!

Answer 3 · 2023-06-04T16:58:44.000Z

Dug into this.

CloudFormation reports this error:

Resource handler returned message: "Invalid token source expression: method.request.querystring.jwt. The source must be a method request header, matching 'method.request.header.[a-zA-Z0-9._-]+' (Service: ApiGateway, Status Code: 400, Request ID: b717f299-1065-4bfd-835b-027c0dae9afb)" (RequestToken: 729be631-7794-10f3-2fb4-d646ee35f9a2, HandlerErrorCode: AlreadyExists)

cognito method request querystring error

It seems like we cannot use method.request.querystring for the identity source for Cognito Pools.

AWS::ApiGateway::Authorizer CloudFormation Docs: The docs are not really precise about this, but that's the behavior.

Doesn't Work:

Tested with Cognito User Pool and method.request.querystring does not work.

app/authorizers/main_authorizer.rb

class MainAuthorizer < ApplicationAuthorizer
  authorizer(
    name: "MyCognito", # <= name is used as the "function" name
    # identity_source: "Authorization", # maps to method.request.header.Authorization
    identity_source: "method.request.querystring.jwt", # DOESNT WORK
    type: :cognito_user_pools,
    provider_arns: [
      "arn:aws:cognito-idp:us-west-2:112233445566:userpool/us-west-2_DbXaf8jP7",
    ],
  )
  # no lambda function on purpose
end

Works

Tested with Lambda based authorizer and method.request.querystring does work.

app/authorizers/main_authorizer.rb

class MainAuthorizer < ApplicationAuthorizer
  authorizer(
    name: "MyAuthorizer",
    identity_source: "method.request.querystring.jwt", # WORKS
    type: :request, # valid values: token, cognito_user_pools, request. Jets upcases internally.
  )
  def protect
    method_arn = event[:methodArn] # IE: arn:aws:execute-api:us-west-2:112233445566:f0ivxw7nkl/dev/GET/posts
    build_policy(method_arn, "current_user")
  end
end

Believe this is a Cognito restriction. Closing this out.