@goodgamestudios/aws-jwt-authorizer
v0.0.2
Published
A flexible JWT Authorizer for Serverless functions
Downloads
7
Maintainers
Readme
aws-jwt-authorizer
A flexible JWT Authorizer function for AWS Lambda
aws-jwt-authorizer
is heavily based Mohamed’s Authorizer and Secrets Manager and Chad’s ggs-serverless-jwt
.
This implementation adds the following:
- The Public Key for JWT verification is:
- loaded from Secrets Manager
- using a key derived from the Issuer (
iss
) in the JWT - cached in memory for a configurable amount of time
- Almost all aspects of the Authorizer are configurable
- has automated tests
Usage
npm add @goodgamestudios/aws-jwt-authorizer
Then modify your serverless.yml
to make use of this. Add the following
function
with a suitable name:
function:
...
jwt-authorizer:
handler: @goodgamestudios/aws-jwt-authorizer
name: service_stage_jwt-authorizer
Define the following environment variables,
provider:
environment:
JWT_AUTH_ISSUERS: A space or comma separated, case sensitive list of acceptable issuers
GAME_STAGE: 'live' or 'test'
# Optional
JWT_AUTH_ALGORITHMS: Defaults to 'RS256, RS384, RS512'
JWT_AUTH_CLOCK_TOLERANCE: 30
AWS_SECRET_VALUE_TTL: e.g. '10 min', '20s' etc
In your existing functions, do
function:
app:
handler: existing_handler.app
events:
- http:
path: "/path"
method: get
# This is the important bit!:
authorizer:
name: jwt-authorizer
resultTtlInSeconds: 60
identitySource: method.request.header.Authorization
identityValidationExpression: '^Bearer [-0-9a-zA-Z.+/=_]*$'
Advanced usage
createJwtAuthorizer
is fully customizable. All arguments are optional.
const createJwtAuthorizer = require('@goodgamestudios/aws-jwt-authorizer/create')
module.exports = createJwtAuthorizer({
algorithms: 'RS256', // string or array of strings
issuer: ['myIssuer', 'myOtherIssuer'], // string or array of strings
clockTolerance: 60,
getToken(event) {…},
getPublicKey(event, decodedToken) {…},
shouldAllow(event, verifiedToken) {…}
})
getToken(event)
- get the JWT based onevent
getPublicKey(event, decodedToken)
- get the public key based onevent
anddecodedToken
. This key will be used to verify the token’s signature.shouldAllow(event, verifiedToken)
- returntrue
if access to the requested resource should be allowed, based on theevent
andverifiedToken