serverless-offline 11.2.2 → 11.3.0

package/README.md

@@ -43,7 +43,7 @@ This plugin is updated by its users, I just do maintenance and ensure that PRs a
 - [Installation](#installation)
 - [Usage and command line options](#usage-and-command-line-options)
 - [Run modes](#run-modes)
-- [Usage with `invoke`](#usage-with-invoke)
+- [Invoke Lambda](#invoke-lambda)
 - [The `process.env.IS_OFFLINE` variable](#the-processenvis_offline-variable)
 - [Docker and Layers](#docker-and-layers)
 - [Authorizers](#authorizers)
@@ -295,7 +295,7 @@ Lambda handlers for the `node.js` runtime can run in different execution modes w
 
 the Lambda handler process is running in a child process.
 
-## Usage with `invoke`
+## Invoke Lambda
 
 To use `Lambda.invoke` you need to set the lambda endpoint to the `serverless-offline` endpoint:
 
@@ -326,14 +326,20 @@ const lambda = new aws.Lambda({
 })
 
 export async function handler() {
-  const clientContextData = stringify({ foo: 'foo' })
+  const clientContextData = stringify({
+    foo: 'foo',
+  })
+
+  const payload = stringify({
+    data: 'foo',
+  })
 
   const params = {
     ClientContext: Buffer.from(clientContextData).toString('base64'),
     // FunctionName is composed of: service name - stage - function name, e.g.
     FunctionName: 'myServiceName-dev-invokedHandler',
     InvocationType: 'RequestResponse',
-    Payload: stringify({ data: 'foo' }),
+    Payload: payload,
   }
 
   const response = await lambda.invoke(params).promise()

package/package.json

@@ -1,7 +1,7 @@
 {
   "dedicatedTo": "Blue, a great migrating bird.",
   "name": "serverless-offline",
-  "version": "11.2.2",
+  "version": "11.3.0",
   "description": "Emulate AWS λ and API Gateway locally when developing your Serverless project",
   "license": "MIT",
   "exports": {
@@ -82,34 +82,35 @@
     ]
   },
   "dependencies": {
-    "@aws-sdk/client-lambda": "^3.199.0",
+    "@aws-sdk/client-lambda": "^3.204.0",
     "@hapi/boom": "^10.0.0",
     "@hapi/h2o2": "^10.0.0",
-    "@hapi/hapi": "^20.2.2",
-    "@serverless/utils": "^6.8.1",
+    "@hapi/hapi": "^21.0.0",
+    "@serverless/utils": "^6.8.2",
     "boxen": "^7.0.0",
     "chalk": "^5.1.2",
     "execa": "^6.1.0",
     "fs-extra": "^10.1.0",
+    "is-wsl": "^2.2.0",
     "java-invoke-local": "0.0.6",
     "jose": "^4.10.4",
     "js-string-escape": "^1.0.1",
     "jsonpath-plus": "^7.2.0",
     "jsonschema": "^1.4.1",
     "jszip": "^3.10.1",
-    "luxon": "^3.0.4",
+    "luxon": "^3.1.0",
     "node-fetch": "^3.2.10",
     "node-schedule": "^2.1.0",
-    "object.hasown": "^1.1.1",
+    "object.hasown": "^1.1.2",
     "p-memoize": "^7.1.1",
     "p-retry": "^5.1.1",
     "velocityjs": "^2.0.6",
-    "ws": "^8.10.0"
+    "ws": "^8.11.0"
   },
   "devDependencies": {
     "@istanbuljs/esm-loader-hook": "^0.2.0",
     "archiver": "^5.3.1",
-    "eslint": "^8.26.0",
+    "eslint": "^8.27.0",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-import": "^2.25.4",
@@ -120,7 +121,7 @@
     "mocha": "^10.1.0",
     "nyc": "^15.1.0",
     "prettier": "^2.7.1",
-    "serverless": "^3.23.0",
+    "serverless": "^3.24.1",
     "standard-version": "^9.5.0"
   },
   "peerDependencies": {

package/src/events/http/HttpServer.js

@@ -253,6 +253,16 @@ export default class HttpServer {
       return null
     }
 
+    if (
+      (endpoint.authorizer.name &&
+        this.#serverless.service.provider?.httpApi?.authorizers?.[
+          endpoint.authorizer.name
+        ]?.type === 'request') ||
+      endpoint.authorizer.type === 'request'
+    ) {
+      return null
+    }
+
     const jwtSettings = this.#extractJWTAuthSettings(endpoint)
     if (!jwtSettings) {
       return null
@@ -303,11 +313,36 @@ export default class HttpServer {
       log.error(`Authorization function ${authFunctionName} does not exist`)
       return null
     }
+    const serverlessAuthorizerOptions =
+      this.#serverless.service.provider.httpApi &&
+      this.#serverless.service.provider.httpApi.authorizers &&
+      this.#serverless.service.provider.httpApi.authorizers[authFunctionName]
 
     const authorizerOptions = {
-      identitySource: 'method.request.header.Authorization',
-      identityValidationExpression: '(.*)',
-      resultTtlInSeconds: '300',
+      enableSimpleResponses:
+        (endpoint.isHttpApi &&
+          serverlessAuthorizerOptions?.enableSimpleResponses) ||
+        false,
+      identitySource:
+        serverlessAuthorizerOptions?.identitySource ||
+        'method.request.header.Authorization',
+      identityValidationExpression:
+        serverlessAuthorizerOptions?.identityValidationExpression || '(.*)',
+      payloadVersion: !endpoint.isHttpApi
+        ? '1.0'
+        : serverlessAuthorizerOptions?.payloadVersion || '2.0',
+      resultTtlInSeconds:
+        serverlessAuthorizerOptions?.resultTtlInSeconds || '300',
+    }
+
+    if (
+      authorizerOptions.enableSimpleResponses &&
+      authorizerOptions.payloadVersion === '1.0'
+    ) {
+      log.error(
+        `Cannot create Authorization function '${authFunctionName}' if payloadVersion is '1.0' and enableSimpleResponses is true`,
+      )
+      return null
     }
 
     if (typeof endpoint.authorizer === 'string') {

package/src/events/http/createAuthScheme.js

@@ -3,6 +3,7 @@ import { log } from '@serverless/utils/log.js'
 import authCanExecuteResource from '../authCanExecuteResource.js'
 import authValidateContext from '../authValidateContext.js'
 import {
+  getRawQueryParams,
   nullIfEmpty,
   parseHeaders,
   parseMultiValueHeaders,
@@ -14,18 +15,22 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
   const authFunName = authorizerOptions.name
   let identityHeader = 'authorization'
 
-  if (authorizerOptions.type !== 'request') {
-    const identitySourceMatch = /^method.request.header.((?:\w+-?)+\w+)$/.exec(
-      authorizerOptions.identitySource,
-    )
+  if (
+    authorizerOptions.type !== 'request' ||
+    authorizerOptions.identitySource
+  ) {
+    const identitySourceMatch =
+      /^(method.|\$)request.header.((?:\w+-?)+\w+)$/.exec(
+        authorizerOptions.identitySource,
+      )
 
-    if (!identitySourceMatch || identitySourceMatch.length !== 2) {
+    if (!identitySourceMatch || identitySourceMatch.length !== 3) {
       throw new Error(
-        `Serverless Offline only supports retrieving tokens from the headers (λ: ${authFunName})`,
+        `Serverless Offline only supports retrieving tokens from headers (λ: ${authFunName})`,
       )
     }
 
-    identityHeader = identitySourceMatch[1].toLowerCase()
+    identityHeader = identitySourceMatch[2].toLowerCase()
   }
 
   // Create Auth Scheme
@@ -36,8 +41,7 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
         `Running Authorization function for ${request.method} ${request.path} (λ: ${authFunName})`,
       )
 
-      // Get Authorization header
-      const { req } = request.raw
+      const { rawHeaders, url } = request.raw.req
 
       // Get path params
       // aws doesn't auto decode path params - hapi does
@@ -45,6 +49,8 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
 
       const accountId = 'random-account-id'
       const apiId = 'random-api-id'
+      const requestId = 'random-request-id'
+
       const httpMethod = request.method.toUpperCase()
       const resourcePath = request.route.path.replace(
         new RegExp(`^/${provider.stage}`),
@@ -53,53 +59,96 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
 
       let event = {
         enhancedAuthContext: {},
-        methodArn: `arn:aws:execute-api:${provider.region}:${accountId}:${apiId}/${provider.stage}/${httpMethod}${resourcePath}`,
+        headers: parseHeaders(rawHeaders),
         requestContext: {
           accountId,
           apiId,
-          httpMethod,
-          path: request.path,
-          requestId: 'random-request-id',
-          resourceId: 'random-resource-id',
-          resourcePath,
+          domainName: `${apiId}.execute-api.us-east-1.amazonaws.com`,
+          domainPrefix: apiId,
+          requestId,
           stage: provider.stage,
         },
-        resource: resourcePath,
+        version: authorizerOptions.payloadVersion,
       }
 
-      // Create event Object for authFunction
-      //   methodArn is the ARN of the function we are running we are authorizing access to (or not)
-      //   Account ID and API ID are not simulated
-      if (authorizerOptions.type === 'request') {
-        const { rawHeaders, url } = req
+      const protocol = `${request.server.info.protocol.toUpperCase()}/${
+        request.raw.req.httpVersion
+      }`
+      const currentDate = new Date()
+      const resourceId = `${httpMethod} ${resourcePath}`
+      const methodArn = `arn:aws:execute-api:${provider.region}:${accountId}:${apiId}/${provider.stage}/${httpMethod}${resourcePath}`
+
+      const authorization = request.raw.req.headers[identityHeader]
+
+      const identityValidationExpression = new RegExp(
+        authorizerOptions.identityValidationExpression,
+      )
+      const matchedAuthorization =
+        identityValidationExpression.test(authorization)
+      const finalAuthorization = matchedAuthorization ? authorization : ''
+
+      log.debug(`Retrieved ${identityHeader} header "${finalAuthorization}"`)
 
+      if (authorizerOptions.payloadVersion === '1.0') {
         event = {
           ...event,
-          headers: parseHeaders(rawHeaders),
+          authorizationToken: finalAuthorization,
           httpMethod: request.method.toUpperCase(),
+          identitySource: finalAuthorization,
+          methodArn,
           multiValueHeaders: parseMultiValueHeaders(rawHeaders),
           multiValueQueryStringParameters:
             parseMultiValueQueryStringParameters(url),
           path: request.path,
           pathParameters: nullIfEmpty(pathParams),
           queryStringParameters: parseQueryStringParameters(url),
-          type: 'REQUEST',
+          requestContext: {
+            extendedRequestId: requestId,
+            httpMethod,
+            path: request.path,
+            protocol,
+            requestTime: currentDate.toString(),
+            requestTimeEpoch: currentDate.getTime(),
+            resourceId,
+            resourcePath,
+            stage: provider.stage,
+          },
+          resource: resourcePath,
         }
-      } else {
-        const authorization = req.headers[identityHeader]
-
-        const identityValidationExpression = new RegExp(
-          authorizerOptions.identityValidationExpression,
-        )
-        const matchedAuthorization =
-          identityValidationExpression.test(authorization)
-        const finalAuthorization = matchedAuthorization ? authorization : ''
+      }
 
-        log.debug(`Retrieved ${identityHeader} header "${finalAuthorization}"`)
+      if (authorizerOptions.payloadVersion === '2.0') {
+        event = {
+          ...event,
+          identitySource: [finalAuthorization],
+          rawPath: request.path,
+          rawQueryString: getRawQueryParams(url),
+          requestContext: {
+            http: {
+              method: httpMethod,
+              path: resourcePath,
+              protocol,
+            },
+            routeKey: resourceId,
+            time: currentDate.toString(),
+            timeEpoch: currentDate.getTime(),
+          },
+          routeArn: methodArn,
+          routeKey: resourceId,
+        }
+      }
 
+      //   methodArn is the ARN of the function we are running we are authorizing access to (or not)
+      //   Account ID and API ID are not simulated
+      if (authorizerOptions.type === 'request') {
+        event = {
+          ...event,
+          type: 'REQUEST',
+        }
+      } else {
+        // This is safe since type: 'TOKEN' cannot have payload format 2.0
         event = {
           ...event,
-          authorizationToken: finalAuthorization,
           type: 'TOKEN',
         }
       }
@@ -109,6 +158,25 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
 
       try {
         const result = await lambdaFunction.runHandler()
+
+        if (authorizerOptions.enableSimpleResponses) {
+          if (result.isAuthorized) {
+            const authorizer = {
+              integrationLatency: '42',
+              ...result.context,
+            }
+            return h.authenticated({
+              credentials: {
+                authorizer,
+                context: result.context || {},
+              },
+            })
+          }
+          return Boom.forbidden(
+            'User is not authorized to access this resource',
+          )
+        }
+
         if (result === 'Unauthorized') return Boom.unauthorized('Unauthorized')
 
         // Validate that the policy document has the principalId set
@@ -120,7 +188,12 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
           return Boom.forbidden('No principalId set on the Response')
         }
 
-        if (!authCanExecuteResource(result.policyDocument, event.methodArn)) {
+        if (
+          !authCanExecuteResource(
+            result.policyDocument,
+            event.methodArn || event.routeArn,
+          )
+        ) {
           log.notice(
             `Authorization response didn't authorize user to access resource: (λ: ${authFunName})`,
           )

package/src/events/http/createJWTAuthScheme.js

@@ -3,6 +3,7 @@ import { log } from '@serverless/utils/log.js'
 import { decodeJwt } from 'jose'
 
 const { isArray } = Array
+const { now } = Date
 
 export default function createAuthScheme(jwtOptions) {
   const authorizerName = jwtOptions.name
@@ -38,7 +39,7 @@ export default function createAuthScheme(jwtOptions) {
         const claims = decodeJwt(jwtToken)
 
         const expirationDate = new Date(claims.exp * 1000)
-        if (expirationDate.valueOf() < Date.now()) {
+        if (expirationDate.getTime() < now()) {
           return Boom.unauthorized('JWT Token expired')
         }
 

package/src/lambda/handler-runner/docker-runner/DockerContainer.js

@@ -7,6 +7,7 @@ import { LambdaClient, GetLayerVersionCommand } from '@aws-sdk/client-lambda'
 import { log, progress } from '@serverless/utils/log.js'
 import { execa } from 'execa'
 import { ensureDir, pathExists } from 'fs-extra'
+import isWsl from 'is-wsl'
 import jszip from 'jszip'
 import pRetry from 'p-retry'
 import DockerImage from './DockerImage.js'
@@ -148,7 +149,7 @@ export default class DockerContainer {
       dockerArgs.push('-e', `${key}=${value}`)
     })
 
-    if (platform() === 'linux') {
+    if (platform() === 'linux' && !isWsl) {
       // Add `host.docker.internal` DNS name to access host from inside the container
       // https://github.com/docker/for-linux/issues/264
       const gatewayIp = await this.#getBridgeGatewayIp()

package/src/utils/getRawQueryParams.js

@@ -0,0 +1,11 @@
+import parseQueryStringParameters from './parseQueryStringParameters.js'
+
+export default function getRawQueryParams(url) {
+  const queryParams = parseQueryStringParameters(url) || {}
+  return Object.keys(queryParams)
+    .reduce(function reducer(accumulator, currentKey) {
+      accumulator.push(`${currentKey}=${queryParams[currentKey]}`)
+      return accumulator
+    }, [])
+    .join('&')
+}

package/src/utils/index.js

@@ -7,6 +7,7 @@ export { default as formatToClfTime } from './formatToClfTime.js'
 export { default as generateHapiPath } from './generateHapiPath.js'
 export { default as getApiKeysValues } from './getApiKeysValues.js'
 export { default as getHttpApiCorsConfig } from './getHttpApiCorsConfig.js'
+export { default as getRawQueryParams } from './getRawQueryParams.js'
 export { default as jsonPath } from './jsonPath.js'
 export { default as lowerCaseKeys } from './lowerCaseKeys.js'
 export { default as parseHeaders } from './parseHeaders.js'