I am trying to post a slot through a form. Only people who specify correct access token can post a slot. But even when I enter the correct access token. It gives me error 403 and tells me I am "forbidden". When I test in post man the post method works. When testing in the front end it doesnt.
Error in console CORS configuration
Javacript code to add slot
function addSlots() {
var response = "";
var jsonData = new Object();
jsonData.restaurant_name_date_time = document.getElementById("date_time_slot").value;
jsonData.number_of_pax = document.getElementById("number_of_pax_2").value;
jsonData.restaurant_name = document.getElementById("restaurant_name_slot").value;
// validate the access token
var access_token = document.getElementById("access_token").value;
console.log(jsonData.restaurant_name_date_time)
console.log(jsonData.number_of_pax)
console.log(jsonData.restaurant_name)
console.log(access_token)
var request = new XMLHttpRequest();
request.open("POST", "https://aba3bnzddd.execute-api.us-east-1.amazonaws.com/slots", true);
request.setRequestHeader("Authorization", "Bearer " + access_token);
console.log(access_token)
request.onload = function () {
response = JSON.parse(request.responseText);
console.log(response)
if (response.message == "slot added") {
alert('Congrats! You have succesfully added a slot');
} else if (response.message == "forbidden") {
alert('Invalid token. Please enter a valid access token.');
} else {
alert('Error. Unable to add slot.');
}
};
request.send(JSON.stringify(jsonData));
}
Lambda Authorizer Code
import json
def lambda_handler(event, context):
if event['headers']['authorization'] == 'secretcode':
response = {
"isAuthorized": True,
"context": {
"anyotherparam": "values"
}
}
return response
else:
response = {
"isAuthorized": False,
"context": {
"anyotherparam": "values"
}
}
return response
API Gateway will not attempt to execute your handler lambda if the authorization header it was told to expect is not present in the request, and you'll get a forbidden response.
In your authorizer lambda, it looks like you're expecting the header with a lowercase leter "a" but you're sending a request with an uppercase letter "A". It may be case sensitive, so check that.
Other things to check:
edit
I just noticed the value of the authorization header is "Bearer " + access_token
but your authorizer is checking for the secret code without the Bearer
prefix. You may have obfuscated that intentionally, but if that's the actual code then it'll never match.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.