I am currently working on a simple api to receive Github event payloads, and I want to validate that they are coming from the correct source. With this I am working to use the hmac signature in the requests header (generated by github using a secret provided by me). To validate the signature, the ApiGateway authorizer requires the signature (X-Hub-Signature), the secret used to generate the signature, and the body of the message. As far as I can tell, Api Gateway does not allow you to pass the body to an ApiGateway Authorizer. Does anyone know a way around this that does not require additional proxy lambdas and s3?
*Note: The requester is the Github Webhook service (not able to add body to header)
Basic ApiGateway Auth Docs:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
Here is how you do it.
Pass your content to Authorization header of your incoming request, It will get delivered to your custom Authorizer.
Grab the contents of the from the below attribute,
event.authorizationToken
where event is one of the parameters (1st) passed to lambda,
I currently encrypt and add all the info to that header and gets delivered to the Custom Authorizer lambda.
You can also access additional parameters as below in your custom Authorizer lambda:
var headers = event.headers;
var queryStringParameters = event.queryStringParameters;
var pathParameters = event.pathParameters;
var stageVariables = event.stageVariables;
var requestContext = event.requestContext;
Hope it helps.
Related
I am using a fairly standard pattern of a Webhook with the called endpoint provided by AWS API Gateway and a backend Lambda.
Webex Teams webhooks allow you to provide a secret which is used to sign the outgoing payload with the resulting hash sent in the 'X-Spark-Signature' header.
I create a webhook and receive the event payload in my Lambda but the hashes do not match. Below is my example code:
def validate(key, raw):
hashed = hmac.new(key, raw, hashlib.sha1)
print(hashed.hexdigest())
return hashed.hexdigest()
key = bytes('somecazYs3Cret', 'UTF-8')
raw = bytes(event['body'], 'UTF-8')
signature = event['headers']['X-Spark-Signature']
if validate(key, raw) == signature:
print('AUTHORIZED')
else:
print('REJECTED')
In API Gateway I am using a Mapping Template as described here to pass the request headers through to my Lambda: https://aws.amazon.com/premiumsupport/knowledge-center/custom-headers-api-gateway-lambda/
When the request payload arrives, all fields including the body are already loaded as a python type dict. so I am trying to serialise the body back to a string to check the hash.
Any help?
This turned out to be the way API Gateway was passing the request payload through to Lambda. Instead of the "Mapping Template" I had to enable the "Use Lambda Proxy integration" feature which passes the original body JSON through as a string.
After enabling this and removing the json.dumps() parts of my code, the hashes validate ok.
I'm planning to add some authorisation logic to my web app. Users are managed & authenticated by Cognito, and the API is powered by Lambda functions glued together with API Gateway.
Currently, Cognito just validates the user's OAuth token and allows/denies the request.
I'd like to further restrict what actions the user can take within my lambda functions by looking at the user's groups.
Looking at the OAuth token, claims about the groups are in the token body. My question is, does the Cognito Authorizer pass the value of the Authorization: Bearer foo header through to API Gateway and the Lambda handler?
The way I can do something like this:
const groups = getGroupsFromToken(event.headers.Authorization);
if (groups.includes('some group')) {
// let user do the thing
}
else {
callback({ statusCode: 401, body: 'You can\'t do the thing' });
}
It definitely sends through the token on a header for me, also it sends through requestContext.authorizer.jwt.claims which may be more useful to you.
The older api gateways I have always uppercase the header to "Authorization", irrespective of what case the actual header uses. The newer ones always lowercase it to "authorization".
I'd suggest trying:
const groups = getGroupsFromToken(event.headers.Authorization || event.headers.authorization);
I am using lambda proxy integration (what the new APIGW UI is calling lambda integration 2.0), from your callback it looks like you are using it too. If you are using the old lambda integration (1.0 in the new UI) then you need a mapping template.
I've implemented a Lambda Function to the authorization and i'm getting errors in my test: the headers are empty. I could check that printing the headers in the console (Cloudwatch).
This is the beginning of my handler:
public class Authorizer implements RequestHandler<APIGatewayProxyRequestEvent, AuthorizerResponse> {
public AuthorizerResponse handleRequest(APIGatewayProxyRequestEvent request, Context context) {
Map<String, String> headers = request.getHeaders();
System.out.println("headers: " + headers);
String authorization = headers.get("Authorization");
...
And this is the result:
Talking about the Authorizer, I set up this way:
And finally, I have my Api Gateway set up this way:
Method Request
Integration Request
What do I have wrong?
Thanks in advance.
Let me answer your question here.
You are using a TOKEN type Lambda authorizer. This will pass the "Authorization" header value as a token. You can see the below sample Lambda event data -
{
type: 'TOKEN',
methodArn:'arn:aws:execute-api:$AWS_REGION:$ACCOUNT_ID:$API_ID/$STAGE/$RESOURCE/',
authorizationToken: 'allow'
}
You might have to modify your code accordingly to retrieve this token.
Alternatively, you can use a REQUEST-based Lambda authorizer function. This will send input to Lambda authorizer as a combination of headers, query string parameters, stageVariables, and $context variables. You can then use your existing code to retrieve the headers from the request.
As for setting a mapping template and "Authorization" header in Method Request and Integration Request, you don't need that unless you are planning to pass it to the integration Lambda function as well.
Is there a way to validate request in API Gateway based on its body? I need to calculate SHA1 hash of the body to validate the sender - Facebook messenger events... Is there a workaround for it?
ApiGateway does not support passing complete body to custom authorizer.
One option is to have two level of authentication - first just based on header/query parameter ( which api gateway support ) and enough to detect spoof senders. Second can be SHA1 hash based on complete body which you can implement in your backend
Pretty self explanatory title. I'm using API Gateway in AWS, requiring an API key to access a backend written in Django (not using lambda). I need to know how to access the API key used in the request to keep track of who did what at the app level.
You can use mapping templates and get the API Key from the $context variable, it’s the apiKey property inside the identity object: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference
Create a mapping template for your requests and include the property in it. For example, if you wanted to include the entire request body + the API Key you would do this:
{
"body": $input.json('$'),
"apiKey": "$context.identity.apiKey"
}
Depending on how your backend application is built, you could send the API key to your application in a HTTP parameter (path, query string, or header) or in the request body. Please have a read through the docs on how to move data between the two systems.
Thanks,
Ryan
Here is how I finally made it work. At the top or bottom of the template, include this line.
#set($context.requestOverride.header.x-api-key = $context.identity.apiKey)
When your backend receives this request, the api key will be in the header x-api-key.
Here is a basic mapping template that just forwards the (json) body and the header.
$input.json("$")
#set($context.requestOverride.header.x-api-key = $context.identity.apiKey)
API Gateway uses the X-API-Key header, so I like for my backend to also use that. That way I can use the same testing commands with only the URL being different.