无服务器框架 - 具有授权者 COGNITO_USER_POOLS 的 Lambda 函数始终返回“未经授权”

Question

我不明白我的授权有什么问题。

我有一个 Hello 函数，它只返回一条简单的静态消息。如果我在没有设置“Authorizer”的情况下部署，它就可以工作。我已经在邮递员上进行了测试。当我尝试添加授权者时，问题就出现了。

我的 Cognito 已完全正常工作。在我的前端，我可以注册，然后登录，然后从此登录会话获取令牌。

当我去邮差测试时，我总是得到“未经授权”的答案。在 Postman 上，我测试了 GET 方法，在“标头”选项卡上，我添加了“授权”属性，并粘贴了我从登录会话中获得的令牌值。我还在一些地方推荐的前缀“bearer”的值字段上对此进行了测试。没有成功。

过去一周我一直在努力解决这个问题。请，任何帮助都将非常有用。

serverless.yml

provider:
  name: aws
  runtime: nodejs10.x
  stage: dev
  region: eu-west-1
  environment: 
    MY_TABLE: ${self:custom.myStage}_${self:custom.settings.tb_items}
    MY_STAGE: ${self:custom.myStage}
    MY_DOMAIN: ${self:custom.myDomain}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "dynamodb:GetItem"
        - "dynamodb:PutItem"
        - "dynamodb:UpdateItem"
        - "dynamodb:DeleteItem"
        - "dynamodb:Scan"
      Resource: "*"

functions:
  hello:
    handler: ${self:custom.pathFunc}/phraseOption.hello
    events:
      - http: 
          method: GET 
          path: hello
          cors: true
          integration: lambda-proxy
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId:
              Ref: ApiGatewayAuthorizer

resources:
  Resources:
    CognitoUserPool:
      Type: "AWS::Cognito::UserPool"
      DeletionPolicy: Retain
      Properties:
        MfaConfiguration: OFF
        UserPoolName: ${self:custom.myStage}_aePool
        EmailVerificationSubject: 'Your verification Code'
        EmailVerificationMessage: 'Use this code to confirm your sign up {####}'
        AutoVerifiedAttributes:
          - email
        UsernameAttributes:
          - email
        Policies:
          PasswordPolicy:
            MinimumLength: 6
            RequireLowercase: False
            RequireNumbers: False
            RequireSymbols: False
            RequireUppercase: False
    CognitoUserPoolClient:
      Type: "AWS::Cognito::UserPoolClient"
      DeletionPolicy: Retain
      Properties:
        ClientName: ${self:custom.myStage}_aePoolClient
        GenerateSecret: False
        UserPoolId:
          Ref: CognitoUserPool
    ApiGatewayAuthorizer: 
      Type: AWS::ApiGateway::Authorizer
      Properties: 
        Name: CognitoUserPool
        Type: COGNITO_USER_POOLS
        IdentitySource: method.request.header.Authorization
        RestApiId: 
          Ref: ApiGatewayRestApi
        ProviderARNs: 
          - Fn::GetAtt:
              - CognitoUserPool
              - Arn

phraseOptions.js

module.exports.hello = (event, context, callback) => {
  const response = {
    statusCode: 200,
    body: JSON.stringify({
      message: 'Your function executed successfully!',
      input: event,
    }),
  };

  callback(null, response);
};

I can see the function was created with the correct Auth:

Also Authorizer create as expected (I guess)

Swagger

---
swagger: "2.0"
info:
  version: "2019-10-07T21:24:17Z"
  title: "XXXXXX"
host: "XXXXXX"
basePath: "/dev"
schemes:
- "https"
paths:
  /getPhrase:
    get:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
  /hello:
    get:
      responses: {}
      security:
      - CognitoUserPool: []
  /item:
    post:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
  /item/{itemId}:
    get:
      responses: {}
    put:
      responses: {}
    delete:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
  /items:
    get:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
securityDefinitions:
  CognitoUserPool:
    type: "apiKey"
    name: "Authorization"
    in: "header"
    x-amazon-apigateway-authtype: "cognito_user_pools"

Answer 1

我已经知道出了什么问题了！

服务器端还可以。在 Postman 上测试的问题是 Token。我使用的是“cognitoUser.signInUserSession.accessToken.jwtToken”，但应该是“cognitoUser.signInUserSession.idToken.jwtToken”。

现在一切都按预期进行。