serverless-offline 10.2.0 → 10.3.0

package/README.md

@@ -141,6 +141,8 @@ Used to disable cookie-validation on hapi.js-server.
 
 #### disableScheduledEvents
 
+_This option is deprecated and will be removed in the next major version. If you want to disable the event, please define it in the 'events.schedule.enabled' section of the serverless config._
+
 Disables all scheduled events. Overrides configurations in serverless.yml.
 
 #### dockerHost

package/package.json

@@ -1,7 +1,7 @@
 {
   "dedicatedTo": "Blue, a great migrating bird.",
   "name": "serverless-offline",
-  "version": "10.2.0",
+  "version": "10.3.0",
   "description": "Emulate AWS λ and API Gateway locally when developing your Serverless project",
   "license": "MIT",
   "exports": {
@@ -86,16 +86,16 @@
     "@hapi/h2o2": "^9.1.0",
     "@hapi/hapi": "^20.2.2",
     "@serverless/utils": "^6.7.0",
-    "aws-sdk": "^2.1222.0",
+    "aws-sdk": "^2.1223.0",
     "boxen": "^7.0.0",
     "chalk": "^5.0.1",
     "execa": "^6.1.0",
     "fs-extra": "^10.1.0",
     "java-invoke-local": "0.0.6",
+    "jose": "^4.9.3",
     "js-string-escape": "^1.0.1",
     "jsonpath-plus": "^7.2.0",
     "jsonschema": "^1.4.1",
-    "jsonwebtoken": "^8.5.1",
     "jszip": "^3.10.1",
     "luxon": "^3.0.3",
     "node-fetch": "^3.2.10",
@@ -109,7 +109,7 @@
   "devDependencies": {
     "@istanbuljs/esm-loader-hook": "^0.2.0",
     "archiver": "^5.3.1",
-    "eslint": "^8.23.1",
+    "eslint": "^8.24.0",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-import": "^2.25.4",

package/src/ServerlessOffline.js

@@ -7,7 +7,6 @@ import {
   SERVER_SHUTDOWN_TIMEOUT,
 } from './config/index.js'
 import { gray, orange } from './config/colors.js'
-import { createApiKey } from './utils/index.js'
 
 export default class ServerlessOffline {
   #cliOptions = null
@@ -62,12 +61,22 @@ export default class ServerlessOffline {
   async start() {
     this.#mergeOptions()
 
+    if (this.#options.disableScheduledEvents) {
+      log.notice()
+      log.warning(
+        orange(`'--disableScheduledEvents' is deprecated and will be removed in the next major version.
+Please disable the event in the 'events.schedule.enabled' section of the serverless config.
+If you are experiencing any issues please let us know: https://github.com/dherault/serverless-offline/issues`),
+      )
+      log.notice()
+    }
+
     const { httpEvents, lambdas, scheduleEvents, webSocketEvents } =
       this.#getEvents()
 
-    // if (lambdas.length > 0) {
-    await this.#createLambda(lambdas)
-    // }
+    if (lambdas.length > 0) {
+      await this.#createLambda(lambdas)
+    }
 
     const eventModules = []
 
@@ -266,8 +275,6 @@ export default class ServerlessOffline {
 
     const functionKeys = service.getAllFunctions()
 
-    let hasPrivateHttpEvent = false
-
     functionKeys.forEach((functionKey) => {
       const functionDefinition = service.getFunction(functionKey)
 
@@ -337,10 +344,6 @@ export default class ServerlessOffline {
             }
           }
 
-          if (http?.private) {
-            hasPrivateHttpEvent = true
-          }
-
           httpEvents.push(httpEvent)
         }
 
@@ -360,31 +363,6 @@ export default class ServerlessOffline {
       })
     })
 
-    // for simple API Key authentication model
-    if (hasPrivateHttpEvent) {
-      if (this.#options.apiKey) {
-        log.notice()
-        log.warning(
-          orange(`'--apiKey' is deprecated and will be removed in the next major version.
-  Please define the apiKey value in the 'provider.apiGateway.apiKeys' section of the serverless config.
-  If you are experiencing any issues please let us know: https://github.com/dherault/serverless-offline/issues`),
-        )
-        log.notice()
-      } else {
-        this.#options.apiKey = createApiKey()
-      }
-
-      log.notice(`Key with token: ${this.#options.apiKey}`)
-
-      if (this.#options.noAuth) {
-        log.notice(
-          `Authorizers are turned off. You do not need to use 'x-api-key' header.`,
-        )
-      } else {
-        log.notice(`Remember to use 'x-api-key' on the request headers.`)
-      }
-    }
-
     return {
       httpEvents,
       lambdas,

package/src/config/commandOptions.js

@@ -22,46 +22,46 @@ export default {
   corsExposedHeaders: {
     type: 'string',
     usage:
-      'Used to build the Access-Control-Exposed-Headers response header for CORS support',
+      'Used to build the Access-Control-Exposed-Headers response header for CORS support.',
   },
   disableCookieValidation: {
     type: 'boolean',
-    usage: 'Used to disable cookie-validation on hapi.js-server',
+    usage: 'Used to disable cookie-validation on hapi.js-server.',
   },
   disableScheduledEvents: {
     type: 'boolean',
     usage:
-      'Disables all scheduled events. Overrides configurations in serverless.yml. Default: false',
+      '[This option is deprecated] Disables all scheduled events. Overrides configurations in serverless.yml. Default: false.',
   },
   dockerHost: {
     type: 'string',
-    usage: 'The host name of Docker. Default: localhost',
+    usage: 'The host name of Docker. Default: localhost.',
   },
   dockerHostServicePath: {
     type: 'string',
     usage:
-      'Defines service path which is used by SLS running inside Docker container',
+      'Defines service path which is used by SLS running inside Docker container.',
   },
   dockerNetwork: {
     type: 'string',
-    usage: 'The network that the Docker container will connect to',
+    usage: 'The network that the Docker container will connect to.',
   },
   dockerReadOnly: {
     type: 'boolean',
-    usage: 'Marks if the docker code layer should be read only. Default: true',
+    usage: 'Marks if the docker code layer should be read only. Default: true.',
   },
   enforceSecureCookies: {
     type: 'boolean',
-    usage: 'Enforce secure cookies',
+    usage: 'Enforce secure cookies.',
   },
   host: {
     shortcut: 'o',
     type: 'string',
-    usage: 'The host name to listen on. Default: localhost',
+    usage: 'The host name to listen on. Default: localhost.',
   },
   httpPort: {
     type: 'string',
-    usage: 'HTTP port to listen on. Default: 3000',
+    usage: 'HTTP port to listen on. Default: 3000.',
   },
   httpsProtocol: {
     shortcut: 'H',
@@ -76,20 +76,20 @@ export default {
   },
   lambdaPort: {
     type: 'string',
-    usage: 'Lambda http port to listen on. Default: 3002',
+    usage: 'Lambda http port to listen on. Default: 3002.',
   },
   layersDir: {
     type: 'string',
     usage:
-      'The directory layers should be stored in. Default: {codeDir}/.serverless-offline/layers',
+      'The directory layers should be stored in. Default: {codeDir}/.serverless-offline/layers.',
   },
   localEnvironment: {
     type: 'boolean',
-    usage: 'Copy local environment variables. Default: false',
+    usage: 'Copy local environment variables. Default: false.',
   },
   noAuth: {
     type: 'boolean',
-    usage: 'Turns off all authorizers',
+    usage: 'Turns off all authorizers.',
   },
   noPrependStageInUrl: {
     type: 'boolean',
@@ -125,24 +125,24 @@ export default {
   },
   useDocker: {
     type: 'boolean',
-    usage: 'Uses docker for node/python/ruby/provided',
+    usage: 'Uses docker for node/python/ruby/provided.',
   },
   useInProcess: {
     type: 'boolean',
-    usage: "Run handlers in the same process as 'serverless-offline'",
+    usage: "Run handlers in the same process as 'serverless-offline'.",
   },
   webSocketHardTimeout: {
     type: 'string',
     usage:
-      'Set WebSocket hard timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table). Default: 7200 (2 hours)',
+      'Set WebSocket hard timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table). Default: 7200 (2 hours).',
   },
   webSocketIdleTimeout: {
     type: 'string',
     usage:
-      'Set WebSocket idle timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table). Default: 600 (10 minutes)',
+      'Set WebSocket idle timeout in seconds to reproduce AWS limits (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-execution-service-websocket-limits-table). Default: 600 (10 minutes).',
   },
   websocketPort: {
     type: 'string',
-    usage: 'Websocket port to listen on. Default: 3001',
+    usage: 'Websocket port to listen on. Default: 3001.',
   },
 }

package/src/events/http/Http.js

@@ -1,11 +1,19 @@
+import { log } from '@serverless/utils/log.js'
 import HttpEventDefinition from './HttpEventDefinition.js'
 import HttpServer from './HttpServer.js'
+import { orange } from '../../config/colors.js'
+import { createApiKey } from '../../utils/index.js'
 
 export default class Http {
+  #hasPrivateHttpEvent = false
+
   #httpServer = null
 
+  #options = null
+
   constructor(serverless, options, lambda) {
     this.#httpServer = new HttpServer(serverless, options, lambda)
+    this.#options = options
   }
 
   start() {
@@ -28,10 +36,38 @@ export default class Http {
   }
 
   create(events) {
-    events.forEach(({ functionKey, handler, http }) => {
+    events.forEach(({ functionKey, handler, http, private: priv }) => {
       this.#createEvent(functionKey, http, handler)
+
+      if (priv) {
+        this.#hasPrivateHttpEvent = true
+      }
     })
 
+    if (this.#hasPrivateHttpEvent) {
+      if (this.#options.apiKey) {
+        log.notice()
+        log.warning(
+          orange(`'--apiKey' is deprecated and will be removed in the next major version.
+  Please define the apiKey value in the 'provider.apiGateway.apiKeys' section of the serverless config.
+  If you are experiencing any issues please let us know: https://github.com/dherault/serverless-offline/issues`),
+        )
+        log.notice()
+      } else {
+        this.#options.apiKey = createApiKey()
+      }
+
+      log.notice(`Key with token: ${this.#options.apiKey}`)
+
+      if (this.#options.noAuth) {
+        log.notice(
+          `Authorizers are turned off. You do not need to use 'x-api-key' header.`,
+        )
+      } else {
+        log.notice(`Remember to use 'x-api-key' on the request headers.`)
+      }
+    }
+
     this.#httpServer.writeRoutesTerminal()
   }
 

package/src/events/http/HttpServer.js

@@ -440,7 +440,7 @@ export default class HttpServer {
             !this.#apiKeysValues.has(apiKey)
           ) {
             log.debug(
-              `Method ${method} of function ${functionKey} token ${apiKey} not valid`,
+              `Method '${method}' of function '${functionKey}' token '${apiKey}' not valid.`,
             )
 
             return errorResponse()
@@ -452,15 +452,18 @@ export default class HttpServer {
         ) {
           const { usageIdentifierKey } = request.auth.credentials
 
-          if (usageIdentifierKey !== this.#options.apiKey) {
+          if (
+            usageIdentifierKey !== this.#options.apiKey &&
+            !this.#apiKeysValues.has(usageIdentifierKey)
+          ) {
             log.debug(
-              `Method ${method} of function ${functionKey} token ${usageIdentifierKey} not valid`,
+              `Method '${method}' of function '${functionKey}' token '${usageIdentifierKey}' not valid.`,
             )
 
             return errorResponse()
           }
         } else {
-          log.debug(`Missing x-api-key on private function ${functionKey}`)
+          log.debug(`Missing 'x-api-key' on private function '${functionKey}'.`)
 
           return errorResponse()
         }

package/src/events/http/createJWTAuthScheme.js

@@ -1,6 +1,6 @@
 import Boom from '@hapi/boom'
 import { log } from '@serverless/utils/log.js'
-import { decode } from 'jsonwebtoken'
+import { decodeJwt } from 'jose'
 
 const { isArray } = Array
 
@@ -35,18 +35,14 @@ export default function createAuthScheme(jwtOptions) {
       }
 
       try {
-        const decoded = decode(jwtToken, { complete: true })
-        if (!decoded) {
-          return Boom.unauthorized('JWT not decoded')
-        }
+        const claims = decodeJwt(jwtToken)
 
-        const expirationDate = new Date(decoded.payload.exp * 1000)
+        const expirationDate = new Date(claims.exp * 1000)
         if (expirationDate.valueOf() < Date.now()) {
           return Boom.unauthorized('JWT Token expired')
         }
 
-        const { aud, iss, scope } = decoded.payload
-        const clientId = decoded.payload.client_id
+        const { aud, iss, scope, client_id: clientId } = claims
         if (iss !== jwtOptions.issuerUrl) {
           log.notice(`JWT Token not from correct issuer url`)
 
@@ -91,7 +87,7 @@ export default function createAuthScheme(jwtOptions) {
         // return resolve(
         return h.authenticated({
           credentials: {
-            claims: decoded.payload,
+            claims,
             scopes,
           },
         })

package/src/events/http/lambda-events/LambdaProxyIntegrationEvent.js

@@ -1,7 +1,7 @@
 import { Buffer } from 'node:buffer'
 import { env } from 'node:process'
 import { log } from '@serverless/utils/log.js'
-import { decode } from 'jsonwebtoken'
+import { decodeJwt } from 'jose'
 import {
   createUniqueId,
   formatToClfTime,
@@ -122,8 +122,8 @@ export default class LambdaProxyIntegrationEvent {
 
     if (token) {
       try {
-        claims = decode(token) || undefined
-        if (claims && claims.scope) {
+        claims = decodeJwt(token)
+        if (claims.scope) {
           scopes = claims.scope.split(' ')
           // In AWS HTTP Api the scope property is removed from the decoded JWT
           // I'm leaving this property because I'm not sure how all of the authorizers

package/src/events/http/lambda-events/LambdaProxyIntegrationEventV2.js

@@ -1,7 +1,7 @@
 import { Buffer } from 'node:buffer'
 import { env } from 'node:process'
 import { log } from '@serverless/utils/log.js'
-import { decode } from 'jsonwebtoken'
+import { decodeJwt } from 'jose'
 import {
   formatToClfTime,
   lowerCaseKeys,
@@ -105,8 +105,8 @@ export default class LambdaProxyIntegrationEventV2 {
 
     if (token) {
       try {
-        claims = decode(token) || undefined
-        if (claims && claims.scope) {
+        claims = decodeJwt(token)
+        if (claims.scope) {
           scopes = claims.scope.split(' ')
           // In AWS HTTP Api the scope property is removed from the decoded JWT
           // I'm leaving this property because I'm not sure how all of the authorizers
@@ -129,12 +129,14 @@ export default class LambdaProxyIntegrationEventV2 {
     const requestTime = formatToClfTime(received)
     const requestTimeEpoch = received
 
-    const cookies = entries(this.#request.state).flatMap(([key, value]) => {
-      if (isArray(value)) {
-        return value.map((v) => `${key}=${v}`)
-      }
-      return `${key}=${value}`
-    })
+    const cookies = this.#request.state
+      ? entries(this.#request.state).flatMap(([key, value]) => {
+          if (isArray(value)) {
+            return value.map((v) => `${key}=${v}`)
+          }
+          return `${key}=${value}`
+        })
+      : undefined
 
     return {
       body,

package/src/events/http/lambda-events/VelocityContext.js

@@ -1,7 +1,7 @@
 import { Buffer } from 'node:buffer'
 import { env } from 'node:process'
 import jsEscapeString from 'js-string-escape'
-import { decode } from 'jsonwebtoken'
+import { decodeJwt } from 'jose'
 import {
   createUniqueId,
   isPlainObject,
@@ -83,10 +83,7 @@ export default class VelocityContext {
 
     if (token) {
       try {
-        const claims = decode(token) || undefined
-        if (claims) {
-          assign(authorizer, { claims })
-        }
+        assign(authorizer, { claims: decodeJwt(token) })
       } catch {
         // Nothing
       }

package/src/events/websocket/HttpServer.js

@@ -30,7 +30,7 @@ export default class HttpServer {
   }
 
   async createServer() {
-    const { host, websocketPort, httpsProtocol } = this.#options
+    const { host, httpsProtocol, websocketPort } = this.#options
 
     const serverOptions = {
       host,