具有 lambda 授权方的 Post 方法在 postman 中起作用,但在前端给出 403 错误
[英]Post method with lambda authorizer functional in postman but in front end gives 403 error
问题描述
I am trying to post a slot through a form.
我正在尝试通过表格发布一个插槽。 Only people who specify correct access token can post a slot.只有指定正确访问令牌的人才能发布插槽。 But even when I enter the correct access token.但即使我输入了正确的访问令牌。 It gives me error 403 and tells me I am "forbidden".它给我错误 403 并告诉我我被“禁止访问”。 When I test in post man the post method works.当我在 post man 中测试时,post 方法有效。 When testing in the front end it doesnt.在前端测试时它没有。
Error in console CORS configuration控制台CORS 配置错误
Javacript code to add slot添加插槽的 Javacript 代码
function addSlots() {
var response = "";
var jsonData = new Object();
jsonData.restaurant_name_date_time = document.getElementById("date_time_slot").value;
jsonData.number_of_pax = document.getElementById("number_of_pax_2").value;
jsonData.restaurant_name = document.getElementById("restaurant_name_slot").value;
// validate the access token
var access_token = document.getElementById("access_token").value;
console.log(jsonData.restaurant_name_date_time)
console.log(jsonData.number_of_pax)
console.log(jsonData.restaurant_name)
console.log(access_token)
var request = new XMLHttpRequest();
request.open("POST", "https://aba3bnzddd.execute-api.us-east-1.amazonaws.com/slots", true);
request.setRequestHeader("Authorization", "Bearer " + access_token);
console.log(access_token)
request.onload = function () {
response = JSON.parse(request.responseText);
console.log(response)
if (response.message == "slot added") {
alert('Congrats! You have succesfully added a slot');
} else if (response.message == "forbidden") {
alert('Invalid token. Please enter a valid access token.');
} else {
alert('Error. Unable to add slot.');
}
};
request.send(JSON.stringify(jsonData));
}
Lambda Authorizer Code Lambda 授权码
import json
def lambda_handler(event, context):
if event['headers']['authorization'] == 'secretcode':
response = {
"isAuthorized": True,
"context": {
"anyotherparam": "values"
}
}
return response
else:
response = {
"isAuthorized": False,
"context": {
"anyotherparam": "values"
}
}
return response
1 个解决方案
解决方案1
1 2023-01-29 23:52:39
API Gateway will not attempt to execute your handler lambda if the authorization header it was told to expect is not present in the request, and you'll get a forbidden response. API 如果请求中不存在被告知期望的授权 header,网关将不会尝试执行您的处理程序lambda,您将收到禁止响应。
In your authorizer lambda, it looks like you're expecting the header with a lowercase leter "a" but you're sending a request with an uppercase letter "A".在您的授权方 lambda 中,您似乎期望 header 带有小写字母“a”,但您发送的请求带有大写字母“A”。 It may be case sensitive, so check that.它可能区分大小写,因此请检查。
Other things to check:其他要检查的事项:
- Is the value you used for the identity source in the authorizer an exact match for the header that's being passed?您在授权方中用于标识源的值是否与正在传递的 header 完全匹配? Again, look for case mismatches.再次,查找大小写不匹配。
- Is your handler lambda even being invoked?您的处理程序 lambda 甚至被调用了吗? There will be evidence of invocations in the Lambda monitor and/or CloudWatch logs. Lambda 监视器和/或 CloudWatch 日志中将有调用的证据。 If it isn't, then API Gateway is stopping the response before it gets to your handler (probably due to an issue with the authorizer).如果不是,则 API 网关会在响应到达您的处理程序之前停止响应(可能是由于授权方的问题)。
edit编辑
I just noticed the value of the authorization header is "Bearer " + access_token but your authorizer is checking for the secret code without the Bearer prefix.我刚刚注意到授权 header 的值是"Bearer " + access_token但你的授权人正在检查没有Bearer前缀的密码。 You may have obfuscated that intentionally, but if that's the actual code then it'll never match.您可能故意混淆了它,但如果那是实际代码,那么它永远不会匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.