[英]How to authenticate third party webhook request in AWS Lambda serverless deployment
I'm writing a function that handles the callback of a Stripe.com checkout session.我正在编写一个函数来处理 Stripe.com 结账会话的回调。
Basically, I receive some data in the body of the request, verify it with the Stripe node library, then I'm trying to write to Dynamodb to handle some backend business logic after the purchase is completed.基本上,我在请求的正文中收到一些数据,使用Stripe节点库对其进行验证,然后在购买完成后尝试写入Dynamodb以处理一些后端业务逻辑。
The problem is I need to keep this api endpoint open for Stripe to call it but also give the function authorization to write to dynamodb.问题是我需要让这个 api 端点保持打开状态,以便 Stripe 调用它,但还要授权函数写入 dynamodb。 When setting the authorizer: aws_iam , it requires the request to include an authentication token and when testing the webhook with Stripe it returns a "Missing Authentication Token" error.
设置授权方时: aws_iam ,它要求请求包含身份验证令牌,并且在使用 Stripe 测试 webhook 时,它返回“缺少身份验证令牌”错误。
When I remove the authorizer: aws_iam Stripe can call the webhook fine because the endpoint is open but then there's no permissions setup to allow writing to dynamodb.当我删除授权人时:aws_iam Stripe 可以很好地调用 webhook,因为端点是打开的,但是没有设置允许写入 dynamodb 的权限。 Seems like a catch22.
看起来像一个catch22。
Here's my serverless:这是我的无服务器:
handleCourseCheckout:
handler: checkout_completed.main
events:
- http:
path: webhook/purchased
method: post
cors: true
authorizer: aws_iam
and here is where the authorizer aws_iam is defined:这里是定义授权方 aws_iam 的地方:
provider:
name: aws
runtime: nodejs10.x
stage: dev
......
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
# Restrict our IAM role permissions to
# the specific table for the stage
Resource:
- "Fn::ImportValue": TableArn
That's kinda strange.这有点奇怪。 In your case you need to configure:
在您的情况下,您需要配置:
authorizer: aws_iam
means restriction access to api gw endpoint only) authorizer: aws_iam
表示仅限制对 api gw 端点的访问) Please - check lambda permissions (execution role) - check api gw (integration request role)请 - 检查 lambda 权限(执行角色) - 检查 api gw(集成请求角色)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.