Bug: APIGatewayAuthorizerResponse cannot be used for Websocket $connect #5800

deuscapturus · 2024-12-27T15:50:41Z

Expected Behaviour

the allow_route() and allow_all_routes() methods in APIGatewayAuthorizerResponse do not create a valid policy statement for a Websocket connection. These methods should work with websocket connections or some other Response class should be created for websocket responses.

Current Behaviour

Using this class to authorize a websocket connection with allow methods will always result in 403 Unauthorized

Code snippet

@event_source(data_class=APIGatewayAuthorizerRequestEvent)
def handler(event: APIGatewayAuthorizerRequestEvent, context: LambdaContext) -> dict:

    response = APIGatewayAuthorizerResponse(
        aws_account_id=event.parsed_arn.aws_account_id,
        api_id=event.parsed_arn.api_id,
        stage=event.parsed_arn.stage,
        region=event.parsed_arn.region,
        principal_id='ws-tut-user',
        context={"principalId": "ws-tut-user"},
        partition=event.parsed_arn.partition,
    )
   response.allow_all_routes()
   return response.asdict()

Results in resource ['arn:aws:execute-api:us-east-1:1234567891:111aaa222b/prod/*/*'] which doesn't match arn:aws:execute-api:us-east-1:1234567891:111aaa222b/prod/$connect and results in a 403 error.

Possible Solution

WORKAROUND

response._allow_routes.append({"resourceArn": event.method_arn})

Steps to Reproduce

_

Powertools for AWS Lambda (Python) version

3.4.0

AWS Lambda function runtime

3.12

Packaging format used

PyPi

Debugging logs

The text was updated successfully, but these errors were encountered:

boring-cyborg · 2024-12-27T15:50:44Z

Thanks for opening your first issue here! We'll come back to you as soon as we can.
In the meantime, check out the #python channel on our Powertools for AWS Lambda Discord: Invite link

leandrodamascena · 2024-12-28T14:26:47Z

Hi @deuscapturus! Thanks for opening this issue.

Let me check the code to see what's going on, but based on your investigation, I see that the /prod/*/* route will not match /prod/$connect and so it will fail.

leandrodamascena · 2025-02-08T21:51:38Z

Hi @deuscapturus! We are working on this PR #6058 to add the new class APIGatewayAuthorizerResponseWebSocket to handle specifics of WebSocket events and solve the issue of when authorizing or denying routes.

I hope to have this available in the next release, which is expected on 11/02/2025.

github-actions · 2025-02-10T12:14:20Z

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions · 2025-02-11T11:32:21Z

This is now released under 3.6.0 version!

deuscapturus added bug Something isn't working triage Pending triage from maintainers labels Dec 27, 2024

github-project-automation bot added this to Powertools for AWS Lambda (Python) Dec 27, 2024

github-project-automation bot moved this to Triage in Powertools for AWS Lambda (Python) Dec 27, 2024

leandrodamascena moved this from Triage to Working on it in Powertools for AWS Lambda (Python) Dec 28, 2024

leandrodamascena self-assigned this Dec 28, 2024

leandrodamascena added event_sources Event Source Data Class utility and removed triage Pending triage from maintainers labels Dec 28, 2024

leandrodamascena moved this from Working on it to Backlog in Powertools for AWS Lambda (Python) Feb 2, 2025

leandrodamascena moved this from Backlog to Working on it in Powertools for AWS Lambda (Python) Feb 4, 2025

leandrodamascena mentioned this issue Feb 8, 2025

feat(event_source): add class APIGatewayAuthorizerResponseWebSocket #6058

Merged

7 tasks

leandrodamascena linked a pull request Feb 8, 2025 that will close this issue

feat(event_source): add class APIGatewayAuthorizerResponseWebSocket #6058

Merged

7 tasks

leandrodamascena closed this as completed in #6058 Feb 10, 2025

github-project-automation bot moved this from Working on it to Coming soon in Powertools for AWS Lambda (Python) Feb 10, 2025

github-actions bot added the pending-release Fix or implementation already in dev waiting to be released label Feb 10, 2025

github-actions bot removed the pending-release Fix or implementation already in dev waiting to be released label Feb 11, 2025

leandrodamascena moved this from Coming soon to Shipped in Powertools for AWS Lambda (Python) Feb 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: APIGatewayAuthorizerResponse cannot be used for Websocket $connect #5800

Bug: APIGatewayAuthorizerResponse cannot be used for Websocket $connect #5800

deuscapturus commented Dec 27, 2024 •

edited

Loading

boring-cyborg bot commented Dec 27, 2024

leandrodamascena commented Dec 28, 2024

leandrodamascena commented Feb 8, 2025

github-actions bot commented Feb 10, 2025

github-actions bot commented Feb 11, 2025

Bug: APIGatewayAuthorizerResponse cannot be used for Websocket $connect #5800

Bug: APIGatewayAuthorizerResponse cannot be used for Websocket $connect #5800

Comments

deuscapturus commented Dec 27, 2024 • edited Loading

Expected Behaviour

Current Behaviour

Code snippet

Possible Solution

WORKAROUND

Steps to Reproduce

Powertools for AWS Lambda (Python) version

AWS Lambda function runtime

Packaging format used

Debugging logs

boring-cyborg bot commented Dec 27, 2024

leandrodamascena commented Dec 28, 2024

leandrodamascena commented Feb 8, 2025

github-actions bot commented Feb 10, 2025

⚠️COMMENT VISIBILITY WARNING⚠️

github-actions bot commented Feb 11, 2025

deuscapturus commented Dec 27, 2024 •

edited

Loading