I'm attempting to port an existing API to AWS API Gateway.
I've got everything working, in that using the 'test' GUI for each of my endpoints successfully hits my configured EC2 instances.
I used the swagger import facility to automatically map all possible endpoints and their associated URL parameters.
What I've noticed is that when the request hits my API (EC2 instance) the URL has been transformed slightly. The URL parameter order has changed.
Regardless of the parameter order that I paste into the test GUI, the order of the parameters when they hit my API has been changed to the order that they are specified within the 'Method Request' GUI screen.
Does anyone know how to prevent this from happening?
There is no way to achieve this using a lambda 'custom authoriser'
I was trying to use a Lambda function as a custom authoriser which then proxies through to our HTTP API. The only data available to the custom authoriser is the 'Token' in the header (can be named anything you want - setup via API Gateway GUI). You can of course populate this with whatever values you want and one suggestion was to put the param order in this header and then perform some logic at this lambda level, however that meant modifying our API callers which wasn't desirable.
You do have access to the 'transformed' URL (e.g. 'https://df64sxl1.execute-api.us-east-2.amazonaws.com/prod/myEndpoint) but this isn't very useful.
If you are able to utilise lambda integration (instead of custom authorisation) you might be able to achieve what you by using payload-template mappings as these provide a way of accessing the raw request.
Related
I want to create a microservice for "orders". The service will have typical actions like "get orders" or "create an order".
I would like to expose this service in two ways:
User frontend: If you call /orders, you will see your orders
Support frontend: if you call /orders, you will see all the orders of all the users
I would like to deploy one API (orders) that can be called from 2 API gateways (user and support). But, I don't know how to do it without duplicating code.
Is this the right approach?
I'm using AWS Apigateway + Lambda + Serverless.
In some way you're being able to differentiate the user that is making the request inside your lambda function, because you need to get only its orders. Based on that I'm considering that you're receiving some kind of token in your lambda where you can extract the correct user.
Considering that scenario, one standard solution to your problem is add something to your token that differentiate if the user is from the support group or not. Normally you add a claim to the token informing that he/she is part of the support group. Then inside your lambda you check this token and give a different answer based on your requirements. But for that solution, you'll need to have means to add new claims/manage your identity provider data (user information inside your service that provides user tokens).
But with that solution you will find a small problem: if a support user must get all the orders and in another moment only its orders you won't find an easy way to implement this. If your requirements demand that you provide both use cases for support users you will need another solution.
In that case another solution would be to provide two different endpoints (API Gateway API's) touching the same backend lambda. In the normal endpoint you forward the request to the backend and the lambda gets all the orders for the user. In the support endpoint you add something else to the request (can be a query parameter or a http header).
For a more secure solution, your support endpoint must not allow requests from people outside the support group. And if you go for a query parameter alternative, you must block this exact query param in the normal endpoint. Someone can abuse the normal api sending the query param for it and get all the orders if you just forward the query params downstream.
You will do all this different configuration in the integration request of AWS API Gateway. You can find how it works here.
I have a working AWS API Gateway GET method. I want to secure it using an API key, so I've created an API key and usage plan, etc.
So previously when I wanted to call the GET method, I would just type a URL with the appropriate parameters into the browser and send it. However, now that we've introduced the API key into the mix, I'm not sure how to call it.
I'm aware of the command line GET and curl tools. Which of these 3 tools (browser, GET, CURL) can accomplish this task and what syntax do I need to use to make the request to the GET method passing the API key?
Mark B is right, I'm just copying because it's the right answer.
You must pass an HTTP header named x-api-key with the API Key as the value. One tool is cURL, another is Postman.
Can I add multiple endpoints to 1 API in WSO2 Api Manager?
As far as I know I have to create a context and a version. The background is that I just want to make a request like https://api.manager.com/rest/1.0/userList or https://api.manager.com/rest/1.0/tasks.
The userList REST-Controller is implemented on backend A and tasks REST-Controller is implemented in backend B. (A and B are separate web applications)
As far as I know I have to create in my API Manager two APIs with different context values.
The API Manager application would simply subscribe both APIs.
But this would mean that I have to change my requests on the javascript side. This is in my opinion not good because I dont want my javascript application to care about the context. I want that the API Manager delegates to the correct backend automatically. Is this possible? What is best practise?
You can have multiple endpoints per API using Dynamic Endpoint Feature. When creating the API you need to set the Endpoint Type as "Dynamic Endpoint" and upload a mediation in-sequence that sets the "To" header. Within the sequence you can specify your logic to route to the correct endpoint (setting the correct "To" header) according to the request path. Please read [1] for more information.
[1] http://blog.lakmali.com/2016/08/dynamic-endpoints-in-wso2-api-manager.html
Pretty self explanatory title. I'm using API Gateway in AWS, requiring an API key to access a backend written in Django (not using lambda). I need to know how to access the API key used in the request to keep track of who did what at the app level.
You can use mapping templates and get the API Key from the $context variable, it’s the apiKey property inside the identity object: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference
Create a mapping template for your requests and include the property in it. For example, if you wanted to include the entire request body + the API Key you would do this:
{
"body": $input.json('$'),
"apiKey": "$context.identity.apiKey"
}
Depending on how your backend application is built, you could send the API key to your application in a HTTP parameter (path, query string, or header) or in the request body. Please have a read through the docs on how to move data between the two systems.
Thanks,
Ryan
Here is how I finally made it work. At the top or bottom of the template, include this line.
#set($context.requestOverride.header.x-api-key = $context.identity.apiKey)
When your backend receives this request, the api key will be in the header x-api-key.
Here is a basic mapping template that just forwards the (json) body and the header.
$input.json("$")
#set($context.requestOverride.header.x-api-key = $context.identity.apiKey)
API Gateway uses the X-API-Key header, so I like for my backend to also use that. That way I can use the same testing commands with only the URL being different.
I have a public facing API that returns some data, internally using the Google Maps API Service. This API is mostly for interal purposes right now, invoked through the webapplication.
However, I wish to restrict the usage of this API i.e. it should only be invoked from my Web Application ( or mobile app) when a user (non-registered) browses it. An http request directly to this API should not be authorized.
I cannot use API keys since the webapp flow should work for non-registered users as well.
If you're not using HTTPS, any security mechanism is flawed, because it can be replicated. IMHO, you could add a HTTP header (e.g. "Request-source: YourApp") and check for its existance in your API.
Of course, once it's documented somehow, anyone can mimic this header. But if you use HTTPS and create a header that's unknown for other people, you prevent this from happening.