Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: LambdaFunctionUrlSchema fails with CloudFront Origin Access Control (OAC) #2427

Closed
aripalo opened this issue Apr 23, 2024 · 4 comments · Fixed by #2430
Closed

Bug: LambdaFunctionUrlSchema fails with CloudFront Origin Access Control (OAC) #2427

aripalo opened this issue Apr 23, 2024 · 4 comments · Fixed by #2430
Assignees
@am29d
Labels
bug Something isn't working completed This item is complete and has been merged/shipped parser This item relates to the Parser Utility
Milestone
Parser - GA Release

Comments

@aripalo
Copy link

aripalo commented Apr 23, 2024

Expected Behaviour

Using .use(parser({ schema: LambdaFunctionUrlSchema })) middleware should work with Lambda Function URLs protected by the newly launched CloudFront OACs.

Current Behaviour

The parser throws an error:

Failed to parse schema. This error was caused by: [
  
{
    "code": "invalid_type",
    "expected": "string",
    "received": "null",
    "path": [
        "requestContext",
        "authorizer",
        "iam",
        "principalOrgId"
    ],
    "message": "Expected string, received null"
}
,
  
{
    "code": "invalid_type",
    "expected": "object",
    "received": "null",
    "path": [
        "requestContext",
        "authorizer",
        "iam",
        "cognitoIdentity"
    ],
    "message": "Expected object, received null"
}

This is because when CloudFront OAC is calling the Lambda Function URL, the principalOrgId and cognitoIdentity are actual set to null:

// some sensitive'ish values replaced with fictional values
"requestContext": {
            "accountId": "123456789012",
            "apiId": "abcd1",
            "authorizer": {
                "iam": {
                    "accessKey": "ASIA123EXAMPLE",
                    "accountId": "123456789012",
                    "callerId": "AROA123EXAMPLE:OriginAccessSession",
/* NOTICE NULL → */ "cognitoIdentity": null, 
/* NOTICE NULL → */ "principalOrgId": null,  
                    "userArn": "arn:aws:sts::123456789012:assumed-role/OriginAccessControlRole/OriginAccessSession",
                    "userId": "AROA123EXAMPLE:OriginAccessSession"
                }
            },

Code snippet

.use(parser({ schema: LambdaFunctionUrlSchema })) with Lambda Function URL + CloudFront OAC

Steps to Reproduce

Creating a full example is a bit too much work for right now, but you can take my minimal Lambda Function URL + CloudFront OAC example from aws/aws-cdk#21771 (comment) and replace the Lambda function with a TS one using .use(parser({ schema: LambdaFunctionUrlSchema })) middleware.

Possible Solution

  • Make principalOrgId nullable
  • Make cognitoIdentity nullable

Powertools for AWS Lambda (TypeScript) version

latest

AWS Lambda function runtime

20.x

Packaging format used

npm

Execution logs

No response
@aripalo aripalo added bug Something isn't working triage This item has not been triaged by a maintainer, please wait labels Apr 23, 2024
@aripalo
Copy link
Author

aripalo commented Apr 23, 2024

Temporary "user-land" workaround is to ignore the requestContext (assuming one doesn't care about its contents in Lambda FnUrl + OAC context):

const TempSchema = LambdaFunctionUrlSchema.merge(
  z.object({
    requestContext: z.unknown(),
  }),
);

@dreamorosi
Copy link
Contributor

Hi @aripalo, thank you for trying the Parser utility and taking the time to open an issue, as well as providing a temporary workaround.

I'll add this to the backlog so we can take a look at fixing it.

@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation parser This item relates to the Parser Utility and removed triage This item has not been triaged by a maintainer, please wait labels Apr 24, 2024
@dreamorosi dreamorosi added this to the Parser - GA Release milestone Apr 24, 2024
@dreamorosi dreamorosi moved this from Triage to Backlog in Powertools for AWS Lambda (TypeScript) Apr 24, 2024
@am29d am29d self-assigned this Apr 24, 2024
@am29d am29d moved this from Backlog to Working on it in Powertools for AWS Lambda (TypeScript) Apr 24, 2024
@am29d am29d mentioned this issue Apr 24, 2024
Merged
9 tasks
@github-project-automation github-project-automation bot moved this from Working on it to Coming soon in Powertools for AWS Lambda (TypeScript) Apr 24, 2024
@github-actions GitHub Actions
Copy link
Contributor

⚠️ COMMENT VISIBILITY WARNING ⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot added pending-release This item has been merged and will be released soon and removed confirmed The scope is clear, ready for implementation labels Apr 24, 2024
@github-actions GitHub Actions
Copy link
Contributor

This is now released under v2.1.1 version!

@github-actions github-actions bot added completed This item is complete and has been merged/shipped and removed pending-release This item has been merged and will be released soon labels May 14, 2024
@dreamorosi dreamorosi moved this from Coming soon to Shipped in Powertools for AWS Lambda (TypeScript) May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@am29d am29d

Labels
bug Something isn't working completed This item is complete and has been merged/shipped parser This item relates to the Parser Utility
Projects
Powertools for AWS Lambda (TypeScript)
Status: Shipped
Milestone
Parser - GA Release
3 participants
@aripalo @am29d @dreamorosi