New serverless pattern - apigw-websocket-mapping-template-authorizer #2609
Conversation
aliceinaws
changed the title
There was a problem hiding this comment.
Hi @aliceinaws,
thank you for your contribution, I've added a few comments and requests for changes. Pls review and apply. TY
|
|
||
| Once the template deployed, you would need to use a websocket client, I would recommend either Postman ior wscat. | ||
|
|
||
| 1. [Install NPM](https://www.npmjs.com/get-npm). |
There was a problem hiding this comment.
if NPM is needed, please move this to the list of requirements
| @@ -0,0 +1,118 @@ | |||
| # AWS Websocket API to Lambda non-proxy | |||
There was a problem hiding this comment.
| # AWS Websocket API to Lambda non-proxy | |
| # Amazon API Gateway Websocket API to AWS Lambda with authorization and request mapping |
| @@ -0,0 +1,118 @@ | |||
| # AWS Websocket API to Lambda non-proxy | |||
|
|
|||
| This pattern will create a websocket API protected by a Lambda authorizer. The websocket is integrated with a Lambda function through a mapping template that passes the main informations of the request. | |||
There was a problem hiding this comment.
| This pattern will create a websocket API protected by a Lambda authorizer. The websocket is integrated with a Lambda function through a mapping template that passes the main informations of the request. | |
| This pattern will create an Amazon API Gateway Websocket API protected by a Lambda authorizer. The websocket is integrated with a Lambda function through a mapping template that passes the main informations of the request. |
|
|
||
| This pattern will create a websocket API protected by a Lambda authorizer. The websocket is integrated with a Lambda function through a mapping template that passes the main informations of the request. | ||
|
|
||
| Learn more about this pattern at Serverless Land Patterns: << Add the live URL here >> |
There was a problem hiding this comment.
| Learn more about this pattern at Serverless Land Patterns: << Add the live URL here >> | |
| Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/apigw-websocket-mapping-template-authorizer |
| ## How it works | ||
|
|
||
| Websocket APIs are commonly used for 2-ways communications between a client and a server (like a chatbot for instance). | ||
| I once came across a scenario where a mapping template was needed, so I thought it could help other people if I published it here. |
| try { | ||
| const command = new PutItemCommand(putParams); | ||
| const response = await client.send(command); | ||
| console.log("put command:", response); // Print the response |
There was a problem hiding this comment.
CWE-117 - Log injection High
We detected that unsanitized user data is being written to the logs. Unsanitized data can inject malicious content. To increase the security of your code, sanitize your inputs before logging them.
|
|
||
| export const handler = async (event) => { | ||
| let connectionData; | ||
| console.log("event received:", event); //check the event received by Lambda |
There was a problem hiding this comment.
CWE-117 - Log injection High
We detected that unsanitized user data is being written to the logs. Unsanitized data can inject malicious content. To increase the security of your code, sanitize your inputs before logging them.
|
|
||
| const body = JSON.parse(event.body); | ||
| const message = body.data; | ||
| console.log("Message sent by client:", message); //print the message received from the request |
There was a problem hiding this comment.
CWE-117 - Log injection High
We detected that unsanitized user data is being written to the logs. Unsanitized data can inject malicious content. To increase the security of your code, sanitize your inputs before logging them.
| endpoint: endpoint, | ||
| }); | ||
|
|
||
| const body = JSON.parse(event.body); |
There was a problem hiding this comment.
CWE-502,1321 - Deserialization of untrusted object High
It appears that you are using JSON.parse() on tainted user input. This could lead to data compromise, acccess control attacks, prototype pollution, denial of service (DoS) attacks, or authentication bypass. To increase the security of your code, do not parse tainted user input.
There was a problem hiding this comment.
Pls add runtime informations to all AWS::Serverless::Function
Can you pls add SourceArn property to AWS lambda permissions (explanation: When creating or configuring an AWS Lambda function, it is recommended to ensure that the function is not publicly accessible. This is to prevent unauthorized access and potential security vulnerabilities.)
e.g.
# Add source ARN condition to restrict which API Gateway can invoke the function
SourceArn: !Sub 'arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${WebsocketApi}/*'
|
Hi @aliceinaws, this issue is becoming stale. Do you still plan to work on it? |
Issue #2610, if available:
Description of changes:
This projects demonstrates how to use a WebSocket API with a Lambda Authorizer. The WebSocket API does not have a Proxy integration with the back-end Lambda written NodeJs 22, instead it is using a mapping template that forwards the main information of the request.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.