cdk-eventbridge-socket icon indicating copy to clipboard operation
cdk-eventbridge-socket copied to clipboard

Published 20 hours ago verified publisher icon boyney123

Add a authorizer function for the API Gateway (Websocket) endpoint

Open boyney123 opened this issue 4 years ago • 4 comments

By default the websocket is open for anyone to connect too.

Think it would be better practice if there was a basic lambda that maybe could verify a token of some sort? Like the example seen here https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html

exports.handler = async(event) => {
    let response = {
        "isAuthorized": false,
        "context": {
            "stringKey": "value",
            "numberKey": 1,
            "booleanKey": true,
            "arrayKey": ["value1", "value2"],
            "mapKey": {"value1": "value2"}
        }
    };
    
    if (event.headers.authorization === "secretToken") {
        response = {
            "isAuthorized": true,
            "context": {
                "stringKey": "value",
                "numberKey": 1,
                "booleanKey": true,
                "arrayKey": ["value1", "value2"],
                "mapKey": {"value1": "value2"}
            }
        };
    }

    return response;

};

Maybe the websocket could send a authorization header, then we could allow the connection if it matches....

boyney123 avatar Aug 24 '21 19:08 boyney123

Hey @boyney123 I'd love to take a shot at adding this! I'm thinking a simple implementation would include an SSM parameter containing a token - so the authorizer function would look for a parameter with a certain key and then compare the value with the auth header. WDYT?

lukehedger avatar Sep 22 '21 12:09 lukehedger

Hey @lukehedger

Hey @boyney123 I'd love to take a shot at adding this! I'm thinking a simple implementation would include an SSM parameter containing a token - so the authorizer function would look for a parameter with a certain key and then compare the value with the auth header. WDYT?

Yeah, the first time I looked at this kinda stuff, but makes sense to me I think!

Maybe somehow pass the token value into the construct?

Any thoughts on how people could set the token value?

new EventBridgeWebSocket(this, 'sockets', {
      bus: 'your-event-bus-name',

      // This example shows how to listen for all events
      eventPattern: {
        account: ['your_account_id'],
      },
      stage: 'dev',
	  token: 'something-interesting'
    });

Not sure if thats the best way or not?

boyney123 avatar Sep 23 '21 09:09 boyney123

Just had a look at this @boyney123 and it seems that authorizers work slightly differently for WebSocket APIs. There is also currently no L2 support in CDK, although there do seem to be a couple of workarounds - see https://github.com/aws/aws-cdk/issues/13869.

lukehedger avatar Sep 27 '21 15:09 lukehedger

Meanwhile cdk has authorizer support so i created a PR to add this functionality.

RaphaelManke avatar Oct 28 '22 21:10 RaphaelManke