feat(AWS ALB): Remove support for authorizers[].allowUnauthenticated

BREAKING CHANGE: Support for `providers.alb.authorizers[].allowUnauthenticated` setting was removed. Rely on `providers.alb.authorizers[].onUnauthenticatedRequest` instead. (PR #8160)
2026-01-18 14:58:43 +00:00 · 2020-09-01 15:41:53 +01:00 · 2020-09-01 15:41:53 +01:00 · 7c304df5ff
commit 7c304df5ff
parent 33eef9f06b
3 changed files with 2 additions and 78 deletions
--- a/lib/plugins/aws/package/compile/events/alb/index.test.js
+++ b/lib/plugins/aws/package/compile/events/alb/index.test.js
@ -162,44 +162,6 @@ describe('AwsCompileAlbEvents', () => {
          );
        }));

-    it('maps "allowUnauthenticated" set to true to "allow"', () =>
-      runServerless({
-        fixture: 'functionDestinations',
-        configExt: serverlessConfiguration({ allowUnauthenticated: true }),
-        cliArgs: ['package'],
-      })
-        .then(({ cfTemplate, awsNaming }) => {
-          ({ Resources: cfResources } = cfTemplate);
-          naming = awsNaming;
-        })
-        .then(() => {
-          const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1);
-          const rule = cfResources[albListenerRuleLogicalId];
-
-          expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal(
-            baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'allow' })
-          );
-        }));
-
-    it('"allowUnauthenticated" set to false should be ineffective', () =>
-      runServerless({
-        fixture: 'functionDestinations',
-        configExt: serverlessConfiguration({ allowUnauthenticated: false }),
-        cliArgs: ['package'],
-      })
-        .then(({ cfTemplate, awsNaming }) => {
-          ({ Resources: cfResources } = cfTemplate);
-          naming = awsNaming;
-        })
-        .then(() => {
-          const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1);
-          const rule = cfResources[albListenerRuleLogicalId];
-
-          expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal(
-            baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'deny' })
-          );
-        }));
-
    it('supports setting value to "allow"', () =>
      runServerless({
        fixture: 'functionDestinations',
@ -237,27 +199,5 @@ describe('AwsCompileAlbEvents', () => {
            baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'authenticate' })
          );
        }));
-
-    it('takes precedence over allowUnauthenticated', () =>
-      runServerless({
-        fixture: 'functionDestinations',
-        configExt: serverlessConfiguration({
-          onUnauthenticatedRequest: 'deny',
-          allowUnauthenticated: true,
-        }),
-        cliArgs: ['package'],
-      })
-        .then(({ cfTemplate, awsNaming }) => {
-          ({ Resources: cfResources } = cfTemplate);
-          naming = awsNaming;
-        })
-        .then(() => {
-          const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1);
-          const rule = cfResources[albListenerRuleLogicalId];
-
-          expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal(
-            baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'deny' })
-          );
-        }));
  });
 });
--- a/lib/plugins/aws/package/compile/events/alb/lib/validate.js
+++ b/lib/plugins/aws/package/compile/events/alb/lib/validate.js
@ -206,22 +206,7 @@ module.exports = {
  },

  validateAlbAuth(auth) {
-    const hasAllowUnauthenticated = auth.allowUnauthenticated != null;
-    const hasOnUnauthenticatedRequest = auth.onUnauthenticatedRequest != null;
-
-    if (hasAllowUnauthenticated) {
-      this.serverless._logDeprecation(
-        'AWS_ALB_ALLOW_UNAUTHENTICATED',
-        'allowUnauthenticated is deprecated, use onUnauthenticatedRequest instead'
-      );
-    }
-
-    if (hasAllowUnauthenticated && !hasOnUnauthenticatedRequest) {
-      auth.onUnauthenticatedRequest = auth.allowUnauthenticated ? 'allow' : 'deny';
-    } else {
-      auth.onUnauthenticatedRequest = auth.onUnauthenticatedRequest || 'deny';
-    }
-
+    auth.onUnauthenticatedRequest = auth.onUnauthenticatedRequest || 'deny';
    return auth;
  },

--- a/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js
+++ b/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js
@ -108,7 +108,7 @@ describe('#validate()', () => {
          userPoolArn: 'arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341',
          userPoolClientId: '1h57kf5cpq17m0eml12EXAMPLE',
          userPoolDomain: 'your-test-domain',
-          allowUnauthenticated: true,
+          onUnauthenticatedRequest: 'allow',
        },
        mySecondAuth: {
          type: 'oidc',
@ -131,7 +131,6 @@ describe('#validate()', () => {
        userPoolClientId: '1h57kf5cpq17m0eml12EXAMPLE',
        userPoolDomain: 'your-test-domain',
        onUnauthenticatedRequest: 'allow',
-        allowUnauthenticated: true,
      },
      mySecondAuth: {
        type: 'oidc',