diff --git a/docs/providers/aws/events/apigateway.md b/docs/providers/aws/events/apigateway.md index 8d29725c9..9adab4435 100644 --- a/docs/providers/aws/events/apigateway.md +++ b/docs/providers/aws/events/apigateway.md @@ -448,7 +448,7 @@ functions: ``` You can also configure an existing Cognito User Pool as the authorizer, as shown -in the following example: +in the following example with optional access token allowed scopes: ```yml functions: @@ -460,6 +460,8 @@ functions: method: post authorizer: arn: arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ + scopes: + - my-app/read ``` If you are using the default `lambda-proxy` integration, your attributes will be diff --git a/lib/plugins/aws/package/compile/events/apiGateway/lib/method/authorization.js b/lib/plugins/aws/package/compile/events/apiGateway/lib/method/authorization.js index c9314397b..03957b8e8 100644 --- a/lib/plugins/aws/package/compile/events/apiGateway/lib/method/authorization.js +++ b/lib/plugins/aws/package/compile/events/apiGateway/lib/method/authorization.js @@ -26,15 +26,25 @@ module.exports = { const authorizerLogicalId = this.provider.naming .getAuthorizerLogicalId(http.authorizer.name); - let authorizationType; const authorizerArn = http.authorizer.arn; + + let authorizationType; if (typeof authorizerArn === 'string' && awsArnRegExs.cognitoIdpArnExpr.test(authorizerArn)) { authorizationType = 'COGNITO_USER_POOLS'; - } else { - authorizationType = 'CUSTOM'; + const cognitoReturn = { + Properties: { + AuthorizationType: authorizationType, + AuthorizerId: { Ref: authorizerLogicalId }, + }, + DependsOn: authorizerLogicalId, + }; + if (http.authorizer.scopes) { + cognitoReturn.Properties.AuthorizationScopes = http.authorizer.scopes; + } + return cognitoReturn; } - + authorizationType = 'CUSTOM'; return { Properties: { AuthorizationType: authorizationType, diff --git a/lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.test.js b/lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.test.js index 78ef18d37..2ac2b2957 100644 --- a/lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.test.js +++ b/lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.test.js @@ -550,6 +550,7 @@ describe('#compileMethods()', () => { authorizer: { name: 'authorizer', arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ', + scopes: ['myapp/read', 'myapp/write'], }, integration: 'AWS', path: 'users/create', @@ -564,6 +565,11 @@ describe('#compileMethods()', () => { .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizationType ).to.equal('COGNITO_USER_POOLS'); + expect( + awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate + .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizationScopes + ).to.contain('myapp/read'); + expect( awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizerId.Ref diff --git a/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js b/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js index b435c8fc3..9fde97c46 100644 --- a/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js +++ b/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js @@ -222,6 +222,7 @@ module.exports = { let identityValidationExpression; let claims; let authorizerId; + let scopes; if (typeof authorizer === 'string') { if (authorizer.toUpperCase() === 'AWS_IAM') { @@ -260,6 +261,7 @@ module.exports = { resultTtlInSeconds = Number.parseInt(authorizer.resultTtlInSeconds, 10); resultTtlInSeconds = Number.isNaN(resultTtlInSeconds) ? 300 : resultTtlInSeconds; claims = authorizer.claims || []; + scopes = authorizer.scopes; identitySource = authorizer.identitySource; identityValidationExpression = authorizer.identityValidationExpression; @@ -297,6 +299,7 @@ module.exports = { identitySource, identityValidationExpression, claims, + scopes, }; },