Merge pull request #6000 from herebebogans/feature/cognito_authorizer_scope

Add authorization scopes support for cognito user pool integration

docs/providers/aws/events/apigateway.md

@@ -448,7 +448,7 @@ functions:
 ```
 
 You can also configure an existing Cognito User Pool as the authorizer, as shown
-in the following example:
+in the following example with optional access token allowed scopes:
 
 ```yml
 functions:
@@ -460,6 +460,8 @@ functions:
           method: post
           authorizer:
             arn: arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ
+            scopes:
+              - my-app/read
 ```
 
 If you are using the default `lambda-proxy` integration, your attributes will be

lib/plugins/aws/package/compile/events/apiGateway/lib/method/authorization.js

@@ -26,15 +26,25 @@ module.exports = {
       const authorizerLogicalId = this.provider.naming
         .getAuthorizerLogicalId(http.authorizer.name);
 
-      let authorizationType;
       const authorizerArn = http.authorizer.arn;
+
+      let authorizationType;
       if (typeof authorizerArn === 'string'
         && awsArnRegExs.cognitoIdpArnExpr.test(authorizerArn)) {
         authorizationType = 'COGNITO_USER_POOLS';
-      } else {
-        authorizationType = 'CUSTOM';
+        const cognitoReturn = {
+          Properties: {
+            AuthorizationType: authorizationType,
+            AuthorizerId: { Ref: authorizerLogicalId },
+          },
+          DependsOn: authorizerLogicalId,
+        };
+        if (http.authorizer.scopes) {
+          cognitoReturn.Properties.AuthorizationScopes = http.authorizer.scopes;
+        }
+        return cognitoReturn;
       }
-
+      authorizationType = 'CUSTOM';
       return {
         Properties: {
           AuthorizationType: authorizationType,

lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.test.js

@@ -550,6 +550,7 @@ describe('#compileMethods()', () => {
           authorizer: {
             name: 'authorizer',
             arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ',
+            scopes: ['myapp/read', 'myapp/write'],
           },
           integration: 'AWS',
           path: 'users/create',
@@ -564,6 +565,11 @@ describe('#compileMethods()', () => {
           .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizationType
       ).to.equal('COGNITO_USER_POOLS');
 
+      expect(
+        awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate
+          .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizationScopes
+      ).to.contain('myapp/read');
+
       expect(
         awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate
           .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizerId.Ref

lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js

@@ -222,6 +222,7 @@ module.exports = {
     let identityValidationExpression;
     let claims;
     let authorizerId;
+    let scopes;
 
     if (typeof authorizer === 'string') {
       if (authorizer.toUpperCase() === 'AWS_IAM') {
@@ -260,6 +261,7 @@ module.exports = {
       resultTtlInSeconds = Number.parseInt(authorizer.resultTtlInSeconds, 10);
       resultTtlInSeconds = Number.isNaN(resultTtlInSeconds) ? 300 : resultTtlInSeconds;
       claims = authorizer.claims || [];
+      scopes = authorizer.scopes;
 
       identitySource = authorizer.identitySource;
       identityValidationExpression = authorizer.identityValidationExpression;
@@ -297,6 +299,7 @@ module.exports = {
       identitySource,
       identityValidationExpression,
       claims,
+      scopes,
     };
   },