fix: add example and moved oauth2 config

Author: rubenfonseca

aws_lambda_powertools/event_handler/openapi/swagger_ui/__init__.py

@@ -3,13 +3,11 @@
 )
 from aws_lambda_powertools.event_handler.openapi.swagger_ui.oauth2 import (
     OAuth2Config,
-    OAuth2UnsafeConfig,
     generate_oauth2_redirect_html,
 )
 
 __all__ = [
     "generate_swagger_html",
     "generate_oauth2_redirect_html",
     "OAuth2Config",
-    "OAuth2UnsafeConfig",
 ]

aws_lambda_powertools/event_handler/openapi/swagger_ui/oauth2.py

@@ -1,9 +1,10 @@
 # ruff: noqa: E501
 from typing import Dict, Optional, Sequence
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, Field, validator
 
 from aws_lambda_powertools.event_handler.openapi.pydantic_loader import PYDANTIC_V2
+from aws_lambda_powertools.shared.functions import powertools_dev_is_set
 
 
 # Based on https://swagger.io/docs/open-source-tools/swagger-ui/usage/oauth2/
@@ -15,6 +16,10 @@ class OAuth2Config(BaseModel):
     # The client ID for the OAuth2 application
     clientId: str = Field(alias="client_id")
 
+    # The client secret for the OAuth2 application. This is sensitive information and requires the explicit presence
+    # of the POWERTOOLS_DEV environment variable.
+    clientSecret: Optional[str] = Field(alias="client_secret", default=None)
+
     # The realm in which the OAuth2 application is registered. Optional.
     realm: Optional[str] = Field(default=None)
 
@@ -44,15 +49,14 @@ class Config:
             extra = "allow"
             allow_population_by_field_name = True
 
-
-class OAuth2UnsafeConfig(OAuth2Config):
-    """
-    This class extends the OAuth2Config class and includes the client secret.
-    This class NEVER BE USED IN PRODUCTION as it will expose sensitive information.
-    """
-
-    # The client secret for the OAuth2 application. This is sensitive information.
-    clientSecret: str = Field(alias="client_secret")
+    @validator("clientSecret", always=True)
+    def client_secret_only_on_dev(cls, v: Optional[str]) -> Optional[str]:
+        if v and not powertools_dev_is_set():
+            raise ValueError(
+                "cannot use client_secret without POWERTOOLS_DEV mode. See "
+                "https://docs.powertools.aws.dev/lambda/python/latest/#optimizing-for-non-production-environments",
+            )
+        return v
 
 
 def generate_oauth2_redirect_html() -> str:

examples/event_handler_rest/sam/swagger_ui_oauth2_template.yaml

@@ -0,0 +1,28 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Transform: AWS::Serverless-2016-10-31
+Description: Sample SAM Template for Oauth2 Cognito User Pool + Swagger UI
+
+Globals:
+  Function:
+    Timeout: 5
+    Runtime: python3.12
+    Tracing: Active
+    Environment:
+      Variables:
+        LOG_LEVEL: INFO
+        POWERTOOLS_LOGGER_SAMPLE_RATE: 0.1
+        POWERTOOLS_LOGGER_LOG_EVENT: true
+        POWERTOOLS_SERVICE_NAME: example
+
+Resources:
+  HelloWorldFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: hello_world/
+      Handler: swagger_ui_oauth2.lambda_handler
+      Events:
+        AnyApiEvent:
+          Type: Api
+          Properties:
+            Path: /{proxy+} # Send requests on any path to the lambda function
+            Method: ANY # Send requests using any http method to the lambda function

examples/event_handler_rest/src/swagger_ui_oauth2.py

@@ -0,0 +1,55 @@
+from aws_lambda_powertools import Logger, Tracer
+from aws_lambda_powertools.event_handler import (
+    APIGatewayRestResolver,
+    Response,
+)
+from aws_lambda_powertools.event_handler.openapi.models import (
+    OAuth2,
+    OAuthFlowAuthorizationCode,
+    OAuthFlows,
+)
+from aws_lambda_powertools.event_handler.openapi.swagger_ui import OAuth2Config
+
+tracer = Tracer()
+logger = Logger()
+
+oauth2 = OAuth2Config(
+    client_id="your_oauth2_client_id",
+    client_secret="your_oauth2_secret",
+    app_name="OAuth2 Test",
+)
+
+app = APIGatewayRestResolver(enable_validation=True)
+
+# NOTE: for this to work, your OAuth2 redirect url needs to precisely follow this format:
+# https://<your_api_id>.execute-api.<region>.amazonaws.com/<stage>/swagger?format=oauth2-redirect
+app.enable_swagger(
+    oauth2_config=oauth2,
+    security_schemes={
+        "oauth": OAuth2(
+            flows=OAuthFlows(
+                authorizationCode=OAuthFlowAuthorizationCode(
+                    authorizationUrl="https://your-cognito-domain.eu-central-1.amazoncognito.com/oauth2/authorize",
+                    tokenUrl="https://your-cognito-domain.eu-central-1.amazoncognito.com/oauth2/token",
+                ),
+            ),
+        ),
+    },
+    security=[{"oauth": []}],
+)
+
+
+@app.get("/")
+def helloworld() -> Response[dict]:
+    logger.info("Hello, World!")
+    return Response(
+        status_code=200,
+        body={"message": "Hello, World"},
+        content_type="application/json",
+    )
+
+
+@logger.inject_lambda_context(log_event=True)
+@tracer.capture_lambda_handler
+def lambda_handler(event, context):
+    return app.resolve(event, context)