up icon indicating copy to clipboard operation
up copied to clipboard

Published 20 hours ago verified publisher icon apex

Authentication

Open tj opened this issue 8 years ago • 8 comments

General issue, needs to broken down, but make it easy to utilize APIGW's API Keys, provide basic auth, custom authorizers, make Auth0 seamless etc.

tj avatar Jul 21 '17 17:07 tj

RE https://github.com/apex/up/issues/287#issuecomment-329590942

Really keen on an API authentication solution. If you don't plan to get around to it soon, I guess I need to look at creating a custom authorizer myself. :cold_sweat:

kaihendry avatar Dec 14 '17 07:12 kaihendry

Just fiddled with API keys. Appears to work! api-key

  • https://s.natalian.org/2018-04-12/1523514092.mp4
  • https://s.natalian.org/2018-04-12/1523514239.mp4
  • https://s.natalian.org/2018-04-12/1523514443.mp4

Figured I had to modify the resources and deploy.

kaihendry avatar Apr 12 '18 06:04 kaihendry

I have "cors": { "enable": true }, enabled in my up.json btw.

I just noticed that if I try do a CORS to my API Key Required endpoint (from example.com to foobar.example.com), I always hit 403 with the CORS OPTIONS request. Ideally Up would not Proxy the OPTIONS request. I'm not sure if this is possible.

I tried removing API Key required on the the root of the domain, but if I make a POST request to /a-path, CORS seems to do the CORS request on the same path.

Maybe I'm missing something? A fetch parameter? Tried passing credentials {include,same-origin}, to no avail. I can't figure out how to set x-api-key for the CORS OPTIONS request.

kaihendry avatar Apr 30 '18 11:04 kaihendry

Hmm I'm not sure, I still haven't tried the API Gateway built-in auth stuff, I just use JWT at the moment for my stuff.

Currently the CORS stuff is configured in Up's proxy, this makes me wonder if they do some magic which isn't interoperable with CORS from an application other than API Gateway's CORS.

Might have to switch to using that, only downside there I guess is that changes would require an up stack plan/apply. I wonder if this is related https://forums.aws.amazon.com/thread.jspa?messageID=728839

AWS is so slow to address these things, I wish they'd focus on letting us deploy regular apps, the auth/cors/whatever part is easy if they'd get out of the way

tj avatar Apr 30 '18 15:04 tj

I worked around the aforementioned CORS issue with Cloudfront btw.

kaihendry avatar May 07 '18 06:05 kaihendry

@kaihendry , Unless I got it completely wrong, it's documented here under Cross-Origin Resource Sharing https://up.docs.apex.sh/#runtimes

I think you just need to add API Gateway's auth headers under the allowed headers:

{
  "cors": {
    "allowed_origins": ["*"],
    "allowed_methods": ["HEAD", "GET", "POST", "PUT", "PATCH", "DELETE"],
    "allowed_headers": ["Content-Type", "Authorization"],
    "allow_credentials": true
  }
}

zero-master avatar May 08 '18 15:05 zero-master

@tj have you made use of the lambda authorizer?

Else would be nice if you could point to a project of yours that uses JWT to be inspired by.

I've been experimenting with Federated logins though I'm largely unsatisfied. Looking for some tooling (like Apex) to offload complexity to.

kaihendry avatar Feb 26 '19 02:02 kaihendry

I've still never tried the AWS auth stuff—I'm not sure it really adds value—mine doesn't really follow the JWT spec but there should be some decent Go JWT packages out there

tj avatar Feb 26 '19 10:02 tj