使用Cognito的未经身份验证和身份验证的API

时间:2019-05-07 16:42:09

标签: aws-lambda amazon-cognito amazon-iam serverless-framework serverless

我按照https://serverless-stack.com的教程创建了“事件” API。管理员创建一个事件,然后可以将属性设置为“已发布”,以允许访客查看这些事件。

这很好用,我有后端设置。现在,我需要创建一个前端日历,以获取所有published: true事件。我创建了一个名为getPublished的服务,该服务将获取已发布的事件。

我希望允许来宾/未经身份验证的用户访问此服务,同时要求对所有其他路由进行身份验证(除了listPublished-但我可以在弄清楚getPublished时知道这一点)。

service: events-app-api

# Use the serverless-webpack plugin to transpile ES6
plugins:
  - serverless-webpack
  - serverless-offline

# serverless-webpack configuration
# Enable auto-packing of external modules
custom:
  webpack:
    webpackConfig: ./webpack.config.js
    includeModules: true

provider:
  name: aws
  runtime: nodejs8.10
  stage: prod
  region: us-east-1

  # 'iamRoleStatements' defines the permission policy for the Lambda function.
  # In this case Lambda functions are granted with permissions to access DynamoDB.
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource: "arn:aws:dynamodb:us-east-1:*:*"

functions:
  # Defines an HTTP API endpoint that calls the main function in create.js
  # - path: url path is /events
  # - method: POST request
  # - cors: enabled CORS (Cross-Origin Resource Sharing) for browser cross
  #     domain api call
  # - authorizer: authenticate using the AWS IAM role
  create:
    handler: create.main
    events:
      - http:
          path: events
          method: post
          cors: true
          authorizer: aws_iam

  get:
    # Defines an HTTP API endpoint that calls the main function in get.js
    # - path: url path is /events/{id}
    # - method: GET request
    handler: get.main
    events:
      - http:
          path: events/{id}
          method: get
          cors: true
          authorizer: aws_iam

  getPublic:
    # Defines an HTTP API endpoint that calls the main function in get.js
    # - path: url path is /events/{id}
    # - method: GET request
    handler: getPublic.main
    events:
      - http:
          path: public/events/{id}
          method: get
          cors: true

  list:
    # Defines an HTTP API endpoint that calls the main function in list.js
    # - path: url path is /events
    # - method: GET request
    handler: list.main
    events:
      - http:
          path: events
          method: get
          cors: true
          authorizer: aws_iam

  listPublic:
    # Defines an HTTP API endpoint that calls the main function in list.js
    # - path: url path is /events
    # - method: GET request
    handler: listPublic.main
    events:
      - http:
          path: public/events
          method: get
          cors: true

  update:
    # Defines an HTTP API endpoint that calls the main function in update.js
    # - path: url path is /events/{id}
    # - method: PUT request
    handler: update.main
    events:
      - http:
          path: events/{id}
          method: put
          cors: true
          authorizer: aws_iam

  delete:
    # Defines an HTTP API endpoint that calls the main function in delete.js
    # - path: url path is /events/{id}
    # - method: DELETE request
    handler: delete.main
    events:
      - http:
          path: events/{id}
          method: delete
          cors: true
          authorizer: aws_iam

# Create our resources with separate CloudFormation templates
resources:
  # API Gateway Errors
  - ${file(resources/api-gateway-errors.yml)}

1 个答案:

答案 0 :(得分:1)

在无服务器框架中定义服务时,请在serverless.yml文件中指定其行为,例如(from their Get Note chapter):

  get:
    handler: get.main
    events:
      - http:
          path: notes/{id}
          method: get
          cors: true
          authorizer: aws_iam

authorizer: aws_iam行是用于配置lambda函数以使用授权者(在这种情况下,是IAM角色)的东西。

如果删除此行,则将在没有授权者的情况下部署函数。没有授权者的功能可以被任何人调用。

此配置特定于每个功能,因此您可以从一个规范中删除authorizer,而留给另一个规范。

然后,就您而言(没有代码,我只是在猜测),您需要做的就是从authorizer的规范中删除getPublished行。