From 48c5a18e6f3d4954c9718fb72ff5f15bb0958fb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20L=C3=B3pez?= Date: Fri, 25 Nov 2022 21:06:50 -0500 Subject: [PATCH] feat: request authorizers with null identitySource should return 401 (#1618) --- src/events/http/createAuthScheme.js | 5 +- .../request-authorizer.test.js | 96 +++++++++++++++++-- 2 files changed, 94 insertions(+), 7 deletions(-) diff --git a/src/events/http/createAuthScheme.js b/src/events/http/createAuthScheme.js index 01c48234d..71b56a70f 100644 --- a/src/events/http/createAuthScheme.js +++ b/src/events/http/createAuthScheme.js @@ -78,9 +78,12 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) { } if (authorization === undefined) { - throw new Error( + log.error( `Identity Source is null for ${identitySourceType} ${identitySourceField} (λ: ${authFunName})`, ) + return Boom.unauthorized( + 'User is not authorized to access this resource', + ) } const identityValidationExpression = new RegExp( diff --git a/tests/integration/request-authorizer/request-authorizer.test.js b/tests/integration/request-authorizer/request-authorizer.test.js index dae1bd743..7359aa0c0 100644 --- a/tests/integration/request-authorizer/request-authorizer.test.js +++ b/tests/integration/request-authorizer/request-authorizer.test.js @@ -64,7 +64,8 @@ describe('request authorizer tests', () => { }, { - description: 'should fail with an Unauthorized error', + description: + 'should fail with an Unauthorized error when identity source is explicitly not handled', expected: { error: 'Unauthorized', message: 'Unauthorized', @@ -78,6 +79,19 @@ describe('request authorizer tests', () => { path: '/user1-header', status: 401, }, + + { + description: + 'should fail with an Unauthorized error when identity source is not present on the request', + expected: { + error: 'Unauthorized', + message: 'User is not authorized to access this resource', + statusCode: 401, + }, + options: {}, + path: '/user1-header', + status: 401, + }, ].forEach(doTest) }) @@ -106,7 +120,8 @@ describe('request authorizer tests', () => { }, { - description: 'should fail with an Unauthorized error', + description: + 'should fail with an Unauthorized error when identity source is explicitly not handled', expected: { error: 'Unauthorized', message: 'Unauthorized', @@ -116,6 +131,19 @@ describe('request authorizer tests', () => { path: '/user1-querystring?query1=fc3e55ea-e6ec-4bf2-94d2-06ae6efe6e5c', status: 401, }, + + { + description: + 'should fail with an Unauthorized error when identity source is not present on the request', + expected: { + error: 'Unauthorized', + message: 'User is not authorized to access this resource', + statusCode: 401, + }, + options: {}, + path: '/user1-querystring', + status: 401, + }, ].forEach(doTest) }) @@ -152,7 +180,8 @@ describe('request authorizer tests', () => { }, { - description: 'should fail with an Unauthorized error', + description: + 'should fail with an Unauthorized error when identity source is explicitly not handled', expected: { error: 'Unauthorized', message: 'Unauthorized', @@ -166,6 +195,19 @@ describe('request authorizer tests', () => { path: '/user2-header', status: 401, }, + + { + description: + 'should fail with an Unauthorized error when identity source is not present on the request', + expected: { + error: 'Unauthorized', + message: 'User is not authorized to access this resource', + statusCode: 401, + }, + options: {}, + path: '/user2-header', + status: 401, + }, ].forEach(doTest) }) @@ -194,7 +236,8 @@ describe('request authorizer tests', () => { }, { - description: 'should fail with an Unauthorized error', + description: + 'should fail with an Unauthorized error when identity source is explicitly not handled', expected: { error: 'Unauthorized', message: 'Unauthorized', @@ -204,6 +247,19 @@ describe('request authorizer tests', () => { path: '/user2-querystring?query2=fc3e55ea-e6ec-4bf2-94d2-06ae6efe6e5c', status: 401, }, + + { + description: + 'should fail with an Unauthorized error when identity source is not present on the request', + expected: { + error: 'Unauthorized', + message: 'User is not authorized to access this resource', + statusCode: 401, + }, + options: {}, + path: '/user2-querystring', + status: 401, + }, ].forEach(doTest) }) @@ -240,7 +296,8 @@ describe('request authorizer tests', () => { }, { - description: 'should fail with an Unauthorized error', + description: + 'should fail with an Unauthorized error when identity source is explicitly not handled', expected: { error: 'Unauthorized', message: 'Unauthorized', @@ -254,6 +311,19 @@ describe('request authorizer tests', () => { path: '/user2simple-header', status: 401, }, + + { + description: + 'should fail with an Unauthorized error when identity source is not present on the request', + expected: { + error: 'Unauthorized', + message: 'User is not authorized to access this resource', + statusCode: 401, + }, + options: {}, + path: '/user2simple-header', + status: 401, + }, ].forEach(doTest) }) @@ -282,7 +352,8 @@ describe('request authorizer tests', () => { }, { - description: 'should fail with an Unauthorized error', + description: + 'should fail with an Unauthorized error when identity source is explicitly not handled', expected: { error: 'Unauthorized', message: 'Unauthorized', @@ -292,6 +363,19 @@ describe('request authorizer tests', () => { path: '/user2simple-querystring?query2simple=fc3e55ea-e6ec-4bf2-94d2-06ae6efe6e5c', status: 401, }, + + { + description: + 'should fail with an Unauthorized error when identity source is not present on the request', + expected: { + error: 'Unauthorized', + message: 'User is not authorized to access this resource', + statusCode: 401, + }, + options: {}, + path: '/user2simple-querystring', + status: 401, + }, ].forEach(doTest) }) })