serverless-apigateway-service-proxy icon indicating copy to clipboard operation
serverless-apigateway-service-proxy copied to clipboard

Published 20 hours ago verified publisher icon serverless-operations

Missing Authentication Token - 403 Forbidden

Open serverlesspolska opened this issue 3 years ago • 3 comments

I have defined endpoint in the following way:

custom:
  apiGatewayServiceProxies:
    - dynamodb:
        path: /getPartner/{PK}/{SK}
        method: GET
        tableName: { Ref: DynamoDbTable }
        authorizationType: 'NONE'
        hashKey:
          pathParam: PK
          attributeType: S
        rangeKey:
          pathParam: SK
          attributeType: S
        action: GetItem
        cors: false

When I am testing it inside of API Gateway console it works. Unfortunately, it doesn't work from the internet. I get the following response:

HTTP/1.1 403 Forbidden
Date: Mon, 09 Nov 2020 21:23:00 GMT
Content-Type: application/json
Content-Length: 42
Connection: close
x-amzn-RequestId: 1ee18fc5-78aa-4bcf-bb42-52977beb94e4
x-amzn-ErrorType: MissingAuthenticationTokenException
x-amz-apigw-id: VwjwNFuUIAMFrRA=

{
  "message": "Missing Authentication Token"
}

What should I do?

serverlesspolska avatar Nov 09 '20 21:11 serverlesspolska

After some testing, I noticed that the root cause is path parameters. PK=PARTNER#test & SK=PARTNER#test

I'm trying to access following URL: https://MY_ID.execute-api.us-east-1.amazonaws.com/dev/getPartner/PARTNER#test/PARTNER#test/

Which for some reason doesn't hit the endpoint 🤯 Why? I don't know. However removing # sign allows to hit the endpoint (i see that in the logs) however, lack of HASH sign doesn't solve my problem because I have # in PK and SK values in my DynamoDB table.

What to do?

Can I configure this plugin to send in URL just the part after the # and add PARTNER# in the mappings somehow?

serverlesspolska avatar Nov 09 '20 21:11 serverlesspolska

Getting exactly the same issue. Works with query string params (if I URL encode the hash) but with path params I get the "Missing Authentication Token" error (whether I URL encode the hash or not). Both work fine in the API Gateway console.

@serverlesspolska did you manage to resolve this?

Everything configures correctly with path params I think so I wonder if this is an issue with API Gateway not liking path params with hashes even if they're URL encoded.

rbdmorgan avatar Mar 25 '21 19:03 rbdmorgan

No, I haven't @rbdmorgan.

While I think this is a wonderful plugin I stopped using it since it is still not compatible with Serverless Framework > 2.x.x. I'm waiting till they will solve ticket #108.

Afterwards, I will think about creating PullRequest with the modification that supports single-table designs.

serverlesspolska avatar Apr 13 '21 15:04 serverlesspolska