use Authorization header in AllowMe example

trigaut · trigaut · commit cd3ce257fdda · 2021-09-29T14:45:32.000+02:00
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ cd myService && serverless deploy
 
 ## Tutorial: simple example to use S4
 
-Let's use S4 to implement a file upload/download service with a trivial authorization mechanism. Every user that has the string "allowMeToUpload" in their name can upload. With "allowMeToDownload" they can download any previously uploaded file. It is the "allowMe" example in S4 repository.
+Let's use S4 to implement a file upload/download service with a trivial authorization mechanism. Every user that has the string "allowMeToUpload" in their token can upload. With "allowMeToDownload" they can download any previously uploaded file. It is the "allowMe" example in S4 repository.
 
 ### Quickly set up S4 and test "allowMe" example
 
@@ -40,8 +40,8 @@ The allow me examples in the [examples](examples)
 ### The getUploadUrlAuthorizer Lambda
 
 This Api Gateway Lambda custom authorizer checks that the user is allowed to upload a file and invoke another Lambda to generate a signed upload URL.
-**What is necessary to implement?** The access control strategy in the `getUploadUrlAuthorizer` code. Currently it uses the queryStringParameters of the request but it could be any [Api Gateway Lambda custom authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html).
-**What does it do in the example?** The lambda is triggered by an API Gateway Get event with a query string parameter name that should containe "allowMeToUpload" to request and return the download url.
+**What is necessary to implement?** The access control strategy in the `getUploadUrlAuthorizer` code. Currently it uses the token in the Authorization header of the request but it could be any [Api Gateway Lambda custom authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html).
+**What does it do in the example?** The lambda is triggered by an API Gateway Get event with a token that should contain "allowMeToUpload" to request and return the download url.
 
 [See getUploadUrlAuthorizer code](examples/allowMe/functions/getUploadUrlAuthorizer/handler.ts)
 
@@ -56,8 +56,8 @@ This Lambda is triggered by the `FILE_UPLOADED` EventBridge event and receives t
 ### The getDownloadUrlAuthorizer Lambda
 
 This Api Gateway Lambda custom authorizer checks that the user is allowed to download the file, requested by its file prefix, and invoke another Lambda to generate a signed download URL.
-**What is necessary to implement?** The access control strategy in the `getDownloadUrlAuthorizer` code. Currently it uses the queryStringParameters of the request but it could be any [Api Gateway Lambda custom authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html).
-**What does it do in the example?** The lambda is triggered by an API Gateway Get event with a query string parameter name that should containe "allowMeToDownload" to request and return the download url.
+**What is necessary to implement?** The access control strategy in the `getDownloadUrlAuthorizer` code. Currently it uses the token in the Authorization header of the request but it could be any [Api Gateway Lambda custom authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html).
+**What does it do in the example?** The lambda is triggered by an API Gateway Get event with a token that should contain "allowMeToDownload" to request and return the download url.
 
 [See getDownloadUrlAuthorizer code](examples/allowMe/functions/getDownloadUrlAuthorizer/handler.ts)
 
@@ -75,7 +75,7 @@ Let's deploy S4, upload and download a pdf
    **Request:**
 
    ```bash
-   curl 'https://{API_GATEWAY_ID}.execute-api.{REGION}.amazonaws.com/{STAGE}/api/signed-upload-url?name=allowMeToUpload&fileType=application/pdf'
+   curl 'https://{API_GATEWAY_ID}.execute-api.{REGION}.amazonaws.com/{STAGE}/api/signed-upload-url?fileType=application/pdf' --header 'Authorization: Bearer allowMeToUpload'
    ```
 
    **Response:**
@@ -119,7 +119,7 @@ Let's deploy S4, upload and download a pdf
    **Request:**
 
    ```bash
-   curl "https://{API_GATEWAY_ID}.execute-api.{REGION}.amazonaws.com/{STAGE}/api/download-url?filePrefix={FILE_PREFIX}&filename={FILENAME}&name=allowMeToDownload"
+   curl "https://{API_GATEWAY_ID}.execute-api.{REGION}.amazonaws.com/{STAGE}/api/download-url?filePrefix={FILE_PREFIX}&filename={FILENAME}" --header "Authorization: Bearer allowMeToDownload"
    ```
 
    **Response:**
@@ -146,7 +146,7 @@ This Lambda queries uploaded files metadata to display a list of files available
 
 - **A S3 bucket:** a S3 bucket to _store the files_ of end users.
 - **A Files metadata table:** a Dynamodb table to store _uploaded files metadat_. These metadata is used to to retrieve the files after their upload
-- **A getSignedUploadUrl http endpoint:** an endpoint on the route `/api/get-signed-upload-url?fileType=FILTE_TYPE&name=NAME` that verifies that the user is allowed to upload files,using the name query string parameter, and returns a presigned POST url to upload a file directly to the S3 bucket.
+- **A getSignedUploadUrl http endpoint:** an endpoint on the route `/api/get-signed-upload-url?fileType=FILTE_TYPE` that verifies that the user is allowed to upload files, using the token in the Authorization header, and returns a presigned POST url to upload a file directly to the S3 bucket.
 
 - **A dispatchFileUploadedEvent handler and an event bridge:** a handler that dispatches a `FILE_UPLOADED` event in an event bridge. This event may be used to trigger any lambda. The payload of the event contains:
 
@@ -162,7 +162,7 @@ This Lambda queries uploaded files metadata to display a list of files available
 }
 ```
 
-- **A getSignedDownloadUrl http endpoint:** an endpoint on the route `/api/get-signed-download-url?filePrefix=FILTE_PREFIX&fileName=FILE_NAME&name=NAME` that verifies that the user is allowed to download files, using the name query string parameter, and returns a presigned POST url to download a file directly to the S3 bucket.
+- **A getSignedDownloadUrl http endpoint:** an endpoint on the route `/api/get-signed-download-url?filePrefix=FILTE_PREFIX&fileName=FILE_NAME` that verifies that the user is allowed to download files, using the token in the Authorization header, and returns a presigned POST url to download a file directly to the S3 bucket.
 
 ### Flowchart
 
diff --git a/examples/allowMe/S4-allowMe.postman_collection.json b/examples/allowMe/S4-allowMe.postman_collection.json
@@ -8,10 +8,20 @@
 		{
 			"name": "getSignedUploadUrl",
 			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "allowMeToUpload",
+							"type": "string"
+						}
+					]
+				},
 				"method": "GET",
 				"header": [],
 				"url": {
-					"raw": "https://{{API_GATEWAY_ID}}.execute-api.{{REGION}}.amazonaws.com/dev/api/signed-upload-url?fileType=application/pdf&name=allowMeToUpload",
+					"raw": "https://{{API_GATEWAY_ID}}.execute-api.{{REGION}}.amazonaws.com/dev/api/signed-upload-url?fileType=application/pdf",
 					"protocol": "https",
 					"host": [
 						"{{API_GATEWAY_ID}}",
@@ -32,7 +42,8 @@
 						},
 						{
 							"key": "name",
-							"value": "allowMeToUpload"
+							"value": "allowMeToUpload",
+							"disabled": true
 						}
 					]
 				}
@@ -42,10 +53,20 @@
 		{
 			"name": "getSignedDownloadUrl",
 			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "allowMeToDownload",
+							"type": "string"
+						}
+					]
+				},
 				"method": "GET",
 				"header": [],
 				"url": {
-					"raw": "https://{{API_GATEWAY_ID}}.execute-api.{{REGION}}.amazonaws.com/dev/api/signed-download-url?name=allowMeToDownload&filePrefix={{FILE_PREFIX}}&fileName={{FILE_NAME}}",
+					"raw": "https://{{API_GATEWAY_ID}}.execute-api.{{REGION}}.amazonaws.com/dev/api/signed-download-url?filePrefix={{FILE_PREFIX}}&fileName={{FILE_NAME}}",
 					"protocol": "https",
 					"host": [
 						"{{API_GATEWAY_ID}}",
@@ -62,7 +83,8 @@
 					"query": [
 						{
 							"key": "name",
-							"value": "allowMeToDownload"
+							"value": "allowMeToDownload",
+							"disabled": true
 						},
 						{
 							"key": "filePrefix",
@@ -166,15 +188,15 @@
 		},
 		{
 			"key": "REGION",
-			"value": ""
+			"value": "eu-west-1"
 		},
 		{
 			"key": "FILE_PREFIX",
-			"value": ""
+			"value": "ced50ff1-26eb-468a-92a8-373ad0535fbf"
 		},
 		{
 			"key": "FILE_NAME",
-			"value": "test.pdf"
+			"value": "file.pdf"
 		},
 		{
 			"key": "BUCKET_NAME",
diff --git a/examples/allowMe/functions/getDownloadUrlAuthorizer/handler.ts b/examples/allowMe/functions/getDownloadUrlAuthorizer/handler.ts
@@ -3,11 +3,11 @@ import { APIGatewayRequestAuthorizerHandler } from "aws-lambda";
 import { generateInvokePolicyDocument } from "../../../../utils/authorizerUtils";
 
 export const main: APIGatewayRequestAuthorizerHandler = async (event) => {
-  const { name } = event.queryStringParameters;
+  const { Authorization: token } = event.headers;
 
   // Naive authentification strategy
-  // all requests with a queryStringParameter "name" containing the "allowMeToDownload" string are accepted
-  if (!name.includes("allowMeToDownload")) {
+  // all requests with a "token" containing the "allowMeToDownload" string are accepted
+  if (!token?.includes("allowMeToDownload")) {
     return generateInvokePolicyDocument(event.methodArn, "Deny");
   }
 
diff --git a/examples/allowMe/functions/getUploadUrlAuthorizer/handler.ts b/examples/allowMe/functions/getUploadUrlAuthorizer/handler.ts
@@ -3,11 +3,11 @@ import { APIGatewayRequestAuthorizerHandler } from "aws-lambda";
 import { generateInvokePolicyDocument } from "../../../../utils/authorizerUtils";
 
 export const main: APIGatewayRequestAuthorizerHandler = async (event) => {
-  const { name } = event.queryStringParameters;
+  const { Authorization: token } = event.headers;
 
   // Naive authentification strategy
-  // all requests with a queryStringParameter "name" containing the "allowMeToUpload" string are accepted
-  if (!name || !name.includes("allowMeToUpload")) {
+  // all requests with a "token" containing the "allowMeToUpload" string are accepted
+  if (!token?.includes("allowMeToUpload")) {
     return generateInvokePolicyDocument(event.methodArn, "Deny");
   }
 
diff --git a/functions/getSignedDownloadUrl/config.ts b/functions/getSignedDownloadUrl/config.ts
@@ -12,7 +12,7 @@ export const getSignedDownloadUrl = {
         authorizer: {
           name: "getDownloadUrlAuthorizer",
           type: "request",
-          identitySource: "method.request.querystring.name",
+          identitySource: "method.request.header.Authorization",
         },
       },
     },
diff --git a/functions/getSignedDownloadUrl/schema.ts b/functions/getSignedDownloadUrl/schema.ts
@@ -6,9 +6,8 @@ export default {
       properties: {
         filePrefix: { type: "string" },
         fileName: { type: "string" },
-        name: { type: "string" },
       },
-      required: ["filePrefix", "fileName", "name"],
+      required: ["filePrefix", "fileName"],
     },
   },
   required: ["queryStringParameters"],
diff --git a/functions/getSignedUploadUrl/config.ts b/functions/getSignedUploadUrl/config.ts
@@ -12,7 +12,7 @@ export const getSignedUploadUrl = {
         authorizer: {
           name: "getUploadUrlAuthorizer",
           type: "request",
-          identitySource: "method.request.querystring.name",
+          identitySource: "method.request.header.Authorization",
         },
       },
     },
diff --git a/functions/getSignedUploadUrl/schema.ts b/functions/getSignedUploadUrl/schema.ts
@@ -5,9 +5,8 @@ export default {
       type: "object",
       properties: {
         fileType: { type: "string" },
-        name: { type: "string" },
       },
-      required: ["fileType", "name"],
+      required: ["fileType"],
     },
   },
   required: ["queryStringParameters"],
