Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MCR-3835: Attach lambda authorizer to api gateway endpoint #2152

Merged
merged 3 commits into from
Jan 9, 2024

Conversation

pearl-truss
Copy link
Contributor

@pearl-truss pearl-truss commented Jan 5, 2024

Summary

New graphql_external endpoint created. This is a copy of the graphql endpoint with the following changes:

  • Only has a get method. I believe we said we would limit 3rd parties to queries for now. I added in the post method because of the language in https://qmacbis.atlassian.net/browse/MCR-3836 seems like it's something we will eventually implement
  • URL path to invoke is v1/graphql/external per eng notes on the ticket
  • 3rd party authorizer is attached

Related issues

https://qmacbis.atlassian.net/browse/MCR-3835

QA guidance

I tested locally with curl

curl \
  --request GET \
  --header "Accept: text/javascript" \
  --header "Authorization: Bearer {token}" \
  --data '{"query": "query { indexHealthPlanPackage { totalCount edges{} } }"}' \
http://127.0.0.1:3030/local/v1/graphql/external

With a valid token an apollo error is returned

Context creation failed: Log: placing user in gql context failed"," at ApolloServer.context.

I believe this error will resolve after https://qmacbis.atlassian.net/browse/MCR-3836 is completed

With an invalid token a permission error is returned

"error":"Forbidden","message":"No principalId set on the Response"

@pearl-truss pearl-truss changed the title hook authorizer to api gateway endpoint MCR-3835: Attach lambda authorizer to api gateway endpoint Jan 5, 2024
@pearl-truss pearl-truss marked this pull request as ready for review January 5, 2024 14:38
Copy link
Contributor

@macrael macrael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't think about this when doing the separate jwthealth lambda, but if we can just add these as separate events using a different authorizer to our existing lambda rather than having to clone the whole lambda that would be nice

graphql_external:
handler: src/handlers/apollo_gql.graphqlHandler
events:
- http:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could these events be inside the regular graphql lambda or do they need to be their own lambda?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirmed it works with combining with the regular graphql lambda. I think this falls under "lambda proxy integration" which is the default used with serverless

@pearl-truss pearl-truss merged commit 98bb5ef into main Jan 9, 2024
27 checks passed
@pearl-truss pearl-truss deleted the mcr-3835-attach-lambda-authorizer branch January 9, 2024 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants