Post method with lambda authorizer functional in postman but in front end gives 403 error

Question

I am trying to post a slot through a form. Only people who specify correct access token can post a slot. But even when I enter the correct access token. It gives me error 403 and tells me I am "forbidden". When I test in post man the post method works. When testing in the front end it doesnt.

Error in console CORS configuration

Javacript code to add slot

 function addSlots() {
        var response = "";
        var jsonData = new Object();
        jsonData.restaurant_name_date_time = document.getElementById("date_time_slot").value;
        jsonData.number_of_pax = document.getElementById("number_of_pax_2").value;
        jsonData.restaurant_name = document.getElementById("restaurant_name_slot").value;
        // validate the access token
        var access_token = document.getElementById("access_token").value;
        console.log(jsonData.restaurant_name_date_time)
        console.log(jsonData.number_of_pax)
        console.log(jsonData.restaurant_name)
        console.log(access_token)
        var request = new XMLHttpRequest();
        request.open("POST", "https://aba3bnzddd.execute-api.us-east-1.amazonaws.com/slots", true);
        request.setRequestHeader("Authorization", "Bearer " + access_token); 
        console.log(access_token)
        
      
        request.onload = function () {
            
            response = JSON.parse(request.responseText);
            console.log(response)
            if (response.message == "slot added") {
                alert('Congrats! You have succesfully added a slot');
            } else if (response.message == "forbidden") {
                alert('Invalid token. Please enter a valid access token.');
            } else {
                alert('Error. Unable to add slot.');
            }
        };
        request.send(JSON.stringify(jsonData));
}

Lambda Authorizer Code

import json

def lambda_handler(event, context):
    
    if event['headers']['authorization'] == 'secretcode':
        response = {
            "isAuthorized": True,
            "context": {
                "anyotherparam": "values"
            }
        }
        return response
        
    else: 
        response = {
            "isAuthorized": False,
            "context": {
                "anyotherparam": "values"
            }
        }
        return response

Answer 1

API Gateway will not attempt to execute your handler lambda if the authorization header it was told to expect is not present in the request, and you'll get a forbidden response.

In your authorizer lambda, it looks like you're expecting the header with a lowercase leter "a" but you're sending a request with an uppercase letter "A". It may be case sensitive, so check that.

Other things to check:

• Is the value you used for the identity source in the authorizer an exact match for the header that's being passed? Again, look for case mismatches.
• Is your handler lambda even being invoked? There will be evidence of invocations in the Lambda monitor and/or CloudWatch logs. If it isn't, then API Gateway is stopping the response before it gets to your handler (probably due to an issue with the authorizer).

edit

I just noticed the value of the authorization header is "Bearer " + access_token but your authorizer is checking for the secret code without the Bearer prefix. You may have obfuscated that intentionally, but if that's the actual code then it'll never match.