serverless-offline 10.0.1 → 10.1.0

package/README.md

@@ -108,40 +108,151 @@ to list all the options for the plugin run:
 
 All CLI options are optional:
 
-```
---apiKey                    Defines the API key value to be used for endpoints marked as private Defaults to a random hash.
---corsAllowHeaders          Used as default Access-Control-Allow-Headers header value for responses. Delimit multiple values with commas. Default: 'accept,content-type,x-api-key'
---corsAllowOrigin           Used as default Access-Control-Allow-Origin header value for responses. Delimit multiple values with commas. Default: '*'
---corsDisallowCredentials   When provided, the default Access-Control-Allow-Credentials header value will be passed as 'false'. Default: true
---corsExposedHeaders        Used as additional Access-Control-Exposed-Headers header value for responses. Delimit multiple values with commas. Default: 'WWW-Authenticate,Server-Authorization'
---disableCookieValidation   Used to disable cookie-validation on hapi.js-server
---disableScheduledEvents    Disables all scheduled events. Overrides configurations in serverless.yml.
---dockerHost                The host name of Docker. Default: localhost
---dockerHostServicePath     Defines service path which is used by SLS running inside Docker container
---dockerNetwork             The network that the Docker container will connect to
---dockerReadOnly            Marks if the docker code layer should be read only. Default: true
---enforceSecureCookies      Enforce secure cookies
---host                  -o  Host name to listen on. Default: localhost
---httpPort                  Http port to listen on. Default: 3000
---httpsProtocol         -H  To enable HTTPS, specify directory (relative to your cwd, typically your project dir) for both cert.pem and key.pem files
---ignoreJWTSignature        When using HttpApi with a JWT authorizer, don't check the signature of the JWT token. This should only be used for local development.
---lambdaPort                Lambda http port to listen on. Default: 3002
---layersDir                 The directory layers should be stored in. Default: ${codeDir}/.serverless-offline/layers'
---localEnvironment          Copy local environment variables. Default: false
---noAuth                    Turns off all authorizers
---noPrependStageInUrl       Don't prepend http routes with the stage.
---noStripTrailingSlashInUrl Don't strip trailing slash from http routes.
---noTimeout             -t  Disables the timeout feature.
---prefix                -p  Adds a prefix to every path, to send your requests to http://localhost:3000/[prefix]/[your_path] instead. Default: ''
---reloadHandler             Reloads handler with each request.
---resourceRoutes            Turns on loading of your HTTP proxy settings from serverless.yml
---terminateIdleLambdaTime   Number of seconds until an idle function is eligible for termination.
---useDocker                 Run handlers in a docker container.
---useInProcess              Run handlers in the same process as 'serverless-offline'.
---webSocketHardTimeout      Set WebSocket hard timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table). Default: 7200 (2 hours)
---webSocketIdleTimeout      Set WebSocket idle timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table). Default: 600 (10 minutes)
---websocketPort             WebSocket port to listen on. Default: 3001
-```
+#### apiKey
+
+_This option is deprecated and will be removed in the next major version. If you want to specify the apiKey value yourself, please define it under 'provider.apiGateway.apiKeys' in the serverless config._
+
+Defines the API key value to be used for endpoints marked as private.<br />
+Defaults to a random value.
+
+#### corsAllowHeaders
+
+Used as default Access-Control-Allow-Headers header value for responses. Delimit multiple values with commas.<br />
+Default: 'accept,content-type,x-api-key'
+
+#### corsAllowOrigin
+
+Used as default Access-Control-Allow-Origin header value for responses. Delimit multiple values with commas.<br />
+Default: '\*'
+
+#### corsDisallowCredentials
+
+When provided, the default Access-Control-Allow-Credentials header value will be passed as 'false'.\
+Default: true
+
+#### corsExposedHeaders
+
+Used as additional Access-Control-Exposed-Headers header value for responses. Delimit multiple values with commas.<br />
+Default: 'WWW-Authenticate,Server-Authorization'
+
+#### disableCookieValidation
+
+Used to disable cookie-validation on hapi.js-server.
+
+#### disableScheduledEvents
+
+Disables all scheduled events. Overrides configurations in serverless.yml.
+
+#### dockerHost
+
+The host name of Docker.<br />
+Default: localhost
+
+#### dockerHostServicePath
+
+Defines service path which is used by SLS running inside Docker container.
+
+#### dockerNetwork
+
+The network that the Docker container will connect to.
+
+#### dockerReadOnly
+
+Marks if the docker code layer should be read only.<br />
+Default: true
+
+#### enforceSecureCookies
+
+Enforce secure cookies
+
+#### host
+
+-o Host name to listen on.<br />
+Default: localhost
+
+#### httpPort
+
+Http port to listen on.<br />
+Default: 3000
+
+#### httpsProtocol
+
+-H To enable HTTPS, specify directory (relative to your cwd, typically your project dir) for both cert.pem and key.pem files.
+
+#### ignoreJWTSignature
+
+When using HttpApi with a JWT authorizer, don't check the signature of the JWT token. This should only be used for local development.
+
+#### lambdaPort
+
+Lambda http port to listen on.<br />
+Default: 3002
+
+#### layersDir
+
+The directory layers should be stored in.<br />
+Default: ${codeDir}/.serverless-offline/layers'
+
+#### localEnvironment
+
+Copy local environment variables.<br />
+Default: false
+
+#### noAuth
+
+Turns off all authorizers.
+
+#### noPrependStageInUrl
+
+Don't prepend http routes with the stage.
+
+#### noStripTrailingSlashInUrl
+
+Don't strip trailing slash from http routes.
+
+#### noTimeout
+
+-t Disables the timeout feature.
+
+#### prefix
+
+-p Adds a prefix to every path, to send your requests to http://localhost:3000/[prefix]/[your_path] instead.<br />
+Default: ''
+
+#### reloadHandler
+
+Reloads handler with each request.
+
+#### resourceRoutes
+
+Turns on loading of your HTTP proxy settings from serverless.yml.
+
+#### terminateIdleLambdaTime
+
+Number of seconds until an idle function is eligible for termination.
+
+#### useDocker
+
+Run handlers in a docker container.
+
+#### useInProcess
+
+Run handlers in the same process as 'serverless-offline'.
+
+#### webSocketHardTimeout
+
+Set WebSocket hard timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table).<br />
+Default: 7200 (2 hours)
+
+#### webSocketIdleTimeout
+
+Set WebSocket idle timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table).<br />
+Default: 600 (10 minutes)
+
+#### websocketPort
+
+WebSocket port to listen on.<br />
+Default: 3001
 
 Any of the CLI options can be added to your `serverless.yml`. For example:
 
@@ -423,11 +534,13 @@ If your authentication needs are custom and not satisfied by the existing capabi
 ```js
 module.exports = function (endpoint, functionKey, method, path) {
   return {
-    getAuthenticateFunction: () => ({
-      async authenticate(request, h) {
-        // your implementation
-      },
-    }),
+    getAuthenticateFunction() {
+      return {
+        async authenticate(request, h) {
+          // your implementation
+        },
+      }
+    },
 
     name: 'your strategy name',
     scheme: 'your scheme name',

package/package.json

@@ -1,7 +1,7 @@
 {
   "dedicatedTo": "Blue, a great migrating bird.",
   "name": "serverless-offline",
-  "version": "10.0.1",
+  "version": "10.1.0",
   "description": "Emulate AWS λ and API Gateway locally when developing your Serverless project",
   "license": "MIT",
   "exports": {
@@ -23,12 +23,13 @@
     "prettify": "prettier --write --ignore-path .gitignore \"**/*.{css,html,js,json,md,yaml,yml}\"",
     "prettify:updated": "pipe-git-updated --ext=css --ext=html --ext=js --ext=json --ext=md --ext=yaml --ext=yml -- prettier --write",
     "test": "mocha --require ./tests/mochaHooks.cjs",
-    "test:jest": "npm run build && jest --verbose --silent --runInBand",
-    "test:cov": "npm run build && jest --coverage --silent --runInBand --collectCoverageFrom=src/**/*.js",
-    "test:log": "npm run build && jest --verbose",
-    "test:noBuild": "jest --verbose --runInBand --bail",
-    "test:unit": "jest --verbose --silent --runInBand --config jest.config.units.js",
-    "test:watch": "SKIP_SETUP=true jest --verbose --watch"
+    "test:cov": "NODE_OPTIONS='--experimental-loader @istanbuljs/esm-loader-hook' nyc --reporter=html npm test",
+    "old-test:jest": "npm run build && jest --verbose --silent --runInBand",
+    "old-test:cov": "npm run build && jest --coverage --silent --runInBand --collectCoverageFrom=src/**/*.js",
+    "old-test:log": "npm run build && jest --verbose",
+    "old-test:noBuild": "jest --verbose --runInBand --bail",
+    "old-test:unit": "jest --verbose --silent --runInBand --config jest.config.units.js",
+    "old-test:watch": "SKIP_SETUP=true jest --verbose --watch"
   },
   "repository": {
     "type": "git",
@@ -53,107 +54,6 @@
     "websocket"
   ],
   "author": "David Hérault <dherault@gmail.com> (https://github.com/dherault)",
-  "contributors": [
-    "Adam Sweeting (https://github.com/adamelliottsweeting)",
-    "Adrien (https://github.com/AdrienGiboire)",
-    "Al Pal (https://github.com/againer)",
-    "Alessandro Palumbo (https://github.com/apalumbo)",
-    "Alex Blythe (https://github.com/ablythe)",
-    "allenhartwig (https://github.com/allenhartwig)",
-    "Andre Rabold (https://github.com/arabold)",
-    "Andrei Popovici (https://github.com/andreipopovici)",
-    "Anthony Liatsis (https://github.com/aliatsis)",
-    "Austen (https://github.com/ac360)",
-    "Austin Payne (https://github.com/austin-payne)",
-    "Ayush Gupta (https://github.com/AyushG3112)",
-    "Ben Cooling (https://github.com/bencooling)",
-    "Bob Thomas (https://github.com/bob-thomas)",
-    "Brandon Evans (https://github.com/BrandonE)",
-    "Cameron Cooper (https://github.com/cameroncooper)",
-    "Chris Trevino (https://github.com/darthtrevino)",
-    "Chris Watson (https://github.com/c24w)",
-    "Christoph Gysin (https://github.com/christophgysin)",
-    "Damon Williams (https://github.com/footballencarta)",
-    "Daniel Cottone <daniel.cottone@gmail.com> (https://github.com/daniel-cottone)",
-    "Daniel Parker (https://github.com/rlgod)",
-    "Dave Sole (https://github.com/dsole)",
-    "David Bunker (https://github.com/dbunker)",
-    "demetriusnunes (https://github.com/demetriusnunes)",
-    "DJCrabhat (https://github.com/djcrabhat)",
-    "Domas Lasauskas (https://github.com/domaslasauskas)",
-    "Dustin Belliston (https://github.com/dwbelliston)",
-    "Echo Nolan (https://github.com/enolan)",
-    "Egor Kislitsyn (https://github.com/minibikini)",
-    "Elliott Spira (https://github.com/em0ney)",
-    "Ethan Moistner (https://github.com/emmoistner)",
-    "Francis Upton IV (https://github.com/francisu)",
-    "Francisco Guimarães (https://github.com/franciscocpg)",
-    "G Roques (https://github.com/gbroques)",
-    "Gabriel Verdi (https://github.com/ansraliant)",
-    "Garun Vagidov (https://github.com/garunski)",
-    "Gert Jansen van Rensburg (https://github.com/gertjvr)",
-    "Guillaume Carbonneau (https://github.com/guillaume)",
-    "György Balássy (https://github.com/balassy)",
-    "James Relyea (https://github.com/james-relyea)",
-    "Jarda Snajdr (https://github.com/jsnajdr)",
-    "Jaryd Carolin (https://github.com/horyd)",
-    "Jeff Hall (https://github.com/electrikdevelopment)",
-    "jgilbert01 (https://github.com/jgilbert01)",
-    "Joaquin Ormaechea (https://github.com/jormaechea)",
-    "John McKim (https://github.com/johncmckim)",
-    "Jonas De Kegel (https://github.com/jlsjonas)",
-    "Joost Farla (https://github.com/joostfarla)",
-    "Joubert RedRat (https://github.com/joubertredrat)",
-    "Juanjo Diaz (https://github.com/juanjoDiaz)",
-    "Kaj Wiklund (https://github.com/kajwiklund)",
-    "Kiryl Yermakou (https://github.com/rma4ok)",
-    "kobanyan (https://github.com/kobanyan)",
-    "Leonardo Alifraco (https://github.com/lalifraco-devspark)",
-    "Leonardo Medici (https://github.com/doclm)",
-    "Luciano Jesus Lima (https://github.com/brazilianbytes)",
-    "Luke Chavers (https://github.com/vmadman)",
-    "Manuel Böhm (https://github.com/boehmers)",
-    "Marc Campbell (https://github.com/marccampbell)",
-    "Marco Lüthy (https://github.com/adieuadieu)",
-    "Mark Tse (https://github.com/neverendingqs)",
-    "Martin Micunda (https://github.com/martinmicunda)",
-    "Matt Hodgson (https://github.com/mhodgson)",
-    "Matt Jonker (https://github.com/msjonker)",
-    "Melvin Vermeer (https://github.com/melvinvermeer)",
-    "Michael MacDonald (https://github.com/mjmac)",
-    "Miso (Mike) Zmiric (https://github.com/mzmiric5)",
-    "Niall Riordan (https://github.com/njriordan)",
-    "Norimitsu Yamashita (https://github.com/nori3tsu)",
-    "Oliv (https://github.com/obearn)",
-    "Paul Esson (https://github.com/thepont)",
-    "Paul Pasmanik (https://github.com/ppasmanik)",
-    "Piotr Gasiorowski (https://github.com/WooDzu)",
-    "polaris340 (https://github.com/polaris340)",
-    "Quenby Mitchell (https://github.com/qswinson)",
-    "Ram Hardy (https://github.com/computerpunc)",
-    "Ramon Emilio Savinon (https://github.com/vaberay)",
-    "Rob Brazier (https://github.com/robbrazier)",
-    "Rowell Belen (https://github.com/bytekast)",
-    "Russell Schick (https://github.com/rschick)",
-    "Ryan Zhang (https://github.com/ryanzyy)",
-    "Selcuk Cihan (https://github.com/selcukcihan)",
-    "Shaun (https://github.com/starsprung)",
-    "Shine Li (https://github.com/shineli)",
-    "Stefan Siegl (https://github.com/stesie)",
-    "Stewart Gleadow (https://github.com/sgleadow)",
-    "Thales Minussi (https://github.com/tminussi)",
-    "Thang Minh Vu (https://github.com/ittus)",
-    "Tom St. Clair (https://github.com/tom-stclair)",
-    "Trevor Leach (https://github.com/trevor-leach)",
-    "Tuan Minh Huynh (https://github.com/tuanmh)",
-    "Utku Turunc (https://github.com/utkuturunc)",
-    "Vasiliy Solovey (https://github.com/miltador)",
-    "Dima Krutolianov (https://github.com/dimadk24)",
-    "Bryan Vaz (https://github.com/bryanvaz)",
-    "Justin Ng (https://github.com/njyjn)",
-    "Fernando Alvarez (https://github.com/jefer590)",
-    "Eric Carter (https://github.com/ericctsf)"
-  ],
   "engines": {
     "node": ">=14.18.0"
   },
@@ -186,7 +86,7 @@
     "@hapi/h2o2": "^9.1.0",
     "@hapi/hapi": "^20.2.2",
     "@serverless/utils": "^6.7.0",
-    "aws-sdk": "^2.1213.0",
+    "aws-sdk": "^2.1215.0",
     "boxen": "^7.0.0",
     "chalk": "^5.0.1",
     "execa": "^6.1.0",
@@ -207,8 +107,9 @@
     "ws": "^8.8.1"
   },
   "devDependencies": {
+    "@istanbuljs/esm-loader-hook": "^0.2.0",
     "archiver": "^5.3.1",
-    "eslint": "^8.23.0",
+    "eslint": "^8.23.1",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-import": "^2.25.4",
@@ -217,6 +118,7 @@
     "husky": "^8.0.1",
     "lint-staged": "^13.0.3",
     "mocha": "^10.0.0",
+    "nyc": "^15.1.0",
     "prettier": "^2.7.1",
     "serverless": "^3.22.0",
     "standard-version": "^9.5.0"

package/src/ServerlessOffline.js

@@ -6,7 +6,8 @@ import {
   defaultOptions,
   SERVER_SHUTDOWN_TIMEOUT,
 } from './config/index.js'
-import { gray } from './config/colors.js'
+import { gray, orange } from './config/colors.js'
+import { createApiKey } from './utils/index.js'
 
 export default class ServerlessOffline {
   #cliOptions = null
@@ -320,6 +321,7 @@ export default class ServerlessOffline {
             }
 
             httpEvent.http.isHttpApi = true
+
             if (
               functionDefinition.httpApi &&
               functionDefinition.httpApi.payload
@@ -358,14 +360,26 @@ export default class ServerlessOffline {
 
     // for simple API Key authentication model
     if (hasPrivateHttpEvent) {
+      if (this.#options.apiKey) {
+        log.notice()
+        log.warning(
+          orange(`'--apiKey' is deprecated and will be removed in the next major version.
+  Please define the apiKey value in the 'provider.apiGateway.apiKeys' section of the serverless config.
+  If you are experiencing any issues please let us know: https://github.com/dherault/serverless-offline/issues`),
+        )
+        log.notice()
+      } else {
+        this.#options.apiKey = createApiKey()
+      }
+
       log.notice(`Key with token: ${this.#options.apiKey}`)
 
       if (this.#options.noAuth) {
         log.notice(
-          'Authorizers are turned off. You do not need to use x-api-key header.',
+          `Authorizers are turned off. You do not need to use 'x-api-key' header.`,
         )
       } else {
-        log.notice('Remember to use x-api-key on the request headers')
+        log.notice(`Remember to use 'x-api-key' on the request headers.`)
       }
     }
 

package/src/config/commandOptions.js

@@ -2,7 +2,7 @@ export default {
   apiKey: {
     type: 'string',
     usage:
-      'Defines the API key value to be used for endpoints marked as private. Defaults to a random hash.',
+      '[This option is deprecated] Defines the API key value to be used for endpoints marked as private. Defaults to a random hash.',
   },
   corsAllowHeaders: {
     type: 'string',

package/src/config/defaultOptions.js

@@ -1,7 +1,5 @@
-import { createApiKey } from '../utils/index.js'
-
 export default {
-  apiKey: createApiKey(),
+  apiKey: null,
   corsAllowHeaders: 'accept,content-type,x-api-key,authorization',
   corsAllowOrigin: '*',
   corsDisallowCredentials: true,

package/src/events/http/HttpServer.js

@@ -24,6 +24,7 @@ import logRoutes from '../../utils/logRoutes.js'
 import {
   detectEncoding,
   generateHapiPath,
+  getApiKeysValues,
   getHttpApiCorsConfig,
   jsonPath,
   splitHandlerPathAndName,
@@ -33,6 +34,8 @@ const { parse, stringify } = JSON
 const { assign, entries, keys } = Object
 
 export default class HttpServer {
+  #apiKeysValues = null
+
   #lambda = null
 
   #options = null
@@ -44,6 +47,10 @@ export default class HttpServer {
   #terminalInfo = []
 
   constructor(serverless, options, lambda) {
+    this.#apiKeysValues = getApiKeysValues(
+      serverless.service.provider.apiGateway?.apiKeys ?? [],
+    )
+
     this.#lambda = lambda
     this.#options = options
     this.#serverless = serverless
@@ -418,17 +425,22 @@ export default class HttpServer {
       ) {
         const errorResponse = () =>
           h
-            .response({ message: 'Forbidden' })
+            .response({
+              message: 'Forbidden',
+            })
             .code(403)
-            .type('application/json')
             .header('x-amzn-ErrorType', 'ForbiddenException')
+            .type('application/json')
 
-        const requestToken = request.headers['x-api-key']
+        const apiKey = request.headers['x-api-key']
 
-        if (requestToken) {
-          if (requestToken !== this.#options.apiKey) {
+        if (apiKey) {
+          if (
+            apiKey !== this.#options.apiKey &&
+            !this.#apiKeysValues.has(apiKey)
+          ) {
             log.debug(
-              `Method ${method} of function ${functionKey} token ${requestToken} not valid`,
+              `Method ${method} of function ${functionKey} token ${apiKey} not valid`,
             )
 
             return errorResponse()
@@ -823,6 +835,7 @@ export default class HttpServer {
         const parseCookies = (headerValue) => {
           const cookieName = headerValue.slice(0, headerValue.indexOf('='))
           const cookieValue = headerValue.slice(headerValue.indexOf('=') + 1)
+
           h.state(cookieName, cookieValue, {
             encoding: 'none',
             strictHeader: false,

package/src/lambda/handler-runner/worker-thread-runner/workerThreadHelper.js

@@ -4,21 +4,20 @@ import InProcessRunner from '../in-process-runner/index.js'
 
 const { functionKey, handler, servicePath, timeout, codeDir } = workerData
 
+const inProcessRunner = new InProcessRunner(
+  {
+    codeDir,
+    functionKey,
+    handler,
+    servicePath,
+    timeout,
+  },
+  env,
+)
+
 parentPort.on('message', async (messageData) => {
   const { context, event, port } = messageData
 
-  // TODO we could probably cache this in the module scope?
-  const inProcessRunner = new InProcessRunner(
-    {
-      codeDir,
-      functionKey,
-      handler,
-      servicePath,
-      timeout,
-    },
-    env,
-  )
-
   let result
 
   try {

package/src/utils/getApiKeysValues.js

@@ -0,0 +1,7 @@
+export default function getApiKeysValues(apiKeys) {
+  return new Set(
+    apiKeys
+      .filter((apiKey) => typeof apiKey === 'object' && apiKey.value != null)
+      .map(({ value }) => value),
+  )
+}

package/src/utils/index.js

@@ -5,6 +5,7 @@ export { default as createUniqueId } from './createUniqueId.js'
 export { default as detectExecutable } from './detectExecutable.js'
 export { default as formatToClfTime } from './formatToClfTime.js'
 export { default as generateHapiPath } from './generateHapiPath.js'
+export { default as getApiKeysValues } from './getApiKeysValues.js'
 export { default as getHttpApiCorsConfig } from './getHttpApiCorsConfig.js'
 export { default as jsonPath } from './jsonPath.js'
 export { default as lowerCaseKeys } from './lowerCaseKeys.js'