serverless-offline 11.2.3 → 11.4.0

package/README.md

@@ -43,7 +43,7 @@ This plugin is updated by its users, I just do maintenance and ensure that PRs a
 - [Installation](#installation)
 - [Usage and command line options](#usage-and-command-line-options)
 - [Run modes](#run-modes)
-- [Usage with `invoke`](#usage-with-invoke)
+- [Invoke Lambda](#invoke-lambda)
 - [The `process.env.IS_OFFLINE` variable](#the-processenvis_offline-variable)
 - [Docker and Layers](#docker-and-layers)
 - [Authorizers](#authorizers)
@@ -295,7 +295,7 @@ Lambda handlers for the `node.js` runtime can run in different execution modes w
 
 the Lambda handler process is running in a child process.
 
-## Usage with `invoke`
+## Invoke Lambda
 
 To use `Lambda.invoke` you need to set the lambda endpoint to the `serverless-offline` endpoint:
 
@@ -326,14 +326,20 @@ const lambda = new aws.Lambda({
 })
 
 export async function handler() {
-  const clientContextData = stringify({ foo: 'foo' })
+  const clientContextData = stringify({
+    foo: 'foo',
+  })
+
+  const payload = stringify({
+    data: 'foo',
+  })
 
   const params = {
     ClientContext: Buffer.from(clientContextData).toString('base64'),
     // FunctionName is composed of: service name - stage - function name, e.g.
     FunctionName: 'myServiceName-dev-invokedHandler',
     InvocationType: 'RequestResponse',
-    Payload: stringify({ data: 'foo' }),
+    Payload: payload,
   }
 
   const response = await lambda.invoke(params).promise()

package/package.json

@@ -1,7 +1,7 @@
 {
   "dedicatedTo": "Blue, a great migrating bird.",
   "name": "serverless-offline",
-  "version": "11.2.3",
+  "version": "11.4.0",
   "description": "Emulate AWS λ and API Gateway locally when developing your Serverless project",
   "license": "MIT",
   "exports": {
@@ -82,46 +82,46 @@
     ]
   },
   "dependencies": {
-    "@aws-sdk/client-lambda": "^3.200.0",
+    "@aws-sdk/client-lambda": "^3.210.0",
     "@hapi/boom": "^10.0.0",
     "@hapi/h2o2": "^10.0.0",
-    "@hapi/hapi": "^20.2.2",
-    "@serverless/utils": "^6.8.1",
+    "@hapi/hapi": "^21.0.0",
+    "@serverless/utils": "^6.8.2",
     "boxen": "^7.0.0",
     "chalk": "^5.1.2",
     "execa": "^6.1.0",
     "fs-extra": "^10.1.0",
     "is-wsl": "^2.2.0",
     "java-invoke-local": "0.0.6",
-    "jose": "^4.10.4",
+    "jose": "^4.11.0",
     "js-string-escape": "^1.0.1",
     "jsonpath-plus": "^7.2.0",
     "jsonschema": "^1.4.1",
     "jszip": "^3.10.1",
     "luxon": "^3.1.0",
-    "node-fetch": "^3.2.10",
+    "node-fetch": "^3.3.0",
     "node-schedule": "^2.1.0",
-    "object.hasown": "^1.1.1",
+    "object.hasown": "^1.1.2",
     "p-memoize": "^7.1.1",
     "p-retry": "^5.1.1",
     "velocityjs": "^2.0.6",
-    "ws": "^8.10.0"
+    "ws": "^8.11.0"
   },
   "devDependencies": {
     "@istanbuljs/esm-loader-hook": "^0.2.0",
     "archiver": "^5.3.1",
-    "eslint": "^8.26.0",
+    "eslint": "^8.27.0",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-import": "^2.25.4",
     "eslint-plugin-prettier": "^4.2.1",
     "git-list-updated": "^1.2.1",
-    "husky": "^8.0.1",
+    "husky": "^8.0.2",
     "lint-staged": "^13.0.3",
     "mocha": "^10.1.0",
     "nyc": "^15.1.0",
     "prettier": "^2.7.1",
-    "serverless": "^3.23.0",
+    "serverless": "^3.24.1",
     "standard-version": "^9.5.0"
   },
   "peerDependencies": {

package/src/events/http/HttpServer.js

@@ -253,6 +253,16 @@ export default class HttpServer {
       return null
     }
 
+    if (
+      (endpoint.authorizer.name &&
+        this.#serverless.service.provider?.httpApi?.authorizers?.[
+          endpoint.authorizer.name
+        ]?.type === 'request') ||
+      endpoint.authorizer.type === 'request'
+    ) {
+      return null
+    }
+
     const jwtSettings = this.#extractJWTAuthSettings(endpoint)
     if (!jwtSettings) {
       return null
@@ -303,11 +313,36 @@ export default class HttpServer {
       log.error(`Authorization function ${authFunctionName} does not exist`)
       return null
     }
+    const serverlessAuthorizerOptions =
+      this.#serverless.service.provider.httpApi &&
+      this.#serverless.service.provider.httpApi.authorizers &&
+      this.#serverless.service.provider.httpApi.authorizers[authFunctionName]
 
     const authorizerOptions = {
-      identitySource: 'method.request.header.Authorization',
-      identityValidationExpression: '(.*)',
-      resultTtlInSeconds: '300',
+      enableSimpleResponses:
+        (endpoint.isHttpApi &&
+          serverlessAuthorizerOptions?.enableSimpleResponses) ||
+        false,
+      identitySource:
+        serverlessAuthorizerOptions?.identitySource ||
+        'method.request.header.Authorization',
+      identityValidationExpression:
+        serverlessAuthorizerOptions?.identityValidationExpression || '(.*)',
+      payloadVersion: !endpoint.isHttpApi
+        ? '1.0'
+        : serverlessAuthorizerOptions?.payloadVersion || '2.0',
+      resultTtlInSeconds:
+        serverlessAuthorizerOptions?.resultTtlInSeconds || '300',
+    }
+
+    if (
+      authorizerOptions.enableSimpleResponses &&
+      authorizerOptions.payloadVersion === '1.0'
+    ) {
+      log.error(
+        `Cannot create Authorization function '${authFunctionName}' if payloadVersion is '1.0' and enableSimpleResponses is true`,
+      )
+      return null
     }
 
     if (typeof endpoint.authorizer === 'string') {

package/src/events/http/createAuthScheme.js

@@ -3,6 +3,7 @@ import { log } from '@serverless/utils/log.js'
 import authCanExecuteResource from '../authCanExecuteResource.js'
 import authValidateContext from '../authValidateContext.js'
 import {
+  getRawQueryParams,
   nullIfEmpty,
   parseHeaders,
   parseMultiValueHeaders,
@@ -10,83 +11,77 @@ import {
   parseQueryStringParameters,
 } from '../../utils/index.js'
 
+const IDENTITY_SOURCE_TYPE_HEADER = 'header'
+const IDENTITY_SOURCE_TYPE_QUERYSTRING = 'querystring'
+
 export default function createAuthScheme(authorizerOptions, provider, lambda) {
   const authFunName = authorizerOptions.name
-  let identityHeader = 'authorization'
+  let identitySourceField = 'authorization'
+  let identitySourceType = IDENTITY_SOURCE_TYPE_HEADER
 
-  if (authorizerOptions.type !== 'request') {
-    const identitySourceMatch = /^method.request.header.((?:\w+-?)+\w+)$/.exec(
-      authorizerOptions.identitySource,
-    )
+  const finalizeAuthScheme = () => {
+    return () => ({
+      async authenticate(request, h) {
+        log.notice()
+        log.notice(
+          `Running Authorization function for ${request.method} ${request.path} (λ: ${authFunName})`,
+        )
 
-    if (!identitySourceMatch || identitySourceMatch.length !== 2) {
-      throw new Error(
-        `Serverless Offline only supports retrieving tokens from the headers (λ: ${authFunName})`,
-      )
-    }
+        const { rawHeaders, url } = request.raw.req
 
-    identityHeader = identitySourceMatch[1].toLowerCase()
-  }
+        // Get path params
+        // aws doesn't auto decode path params - hapi does
+        const pathParams = { ...request.params }
+
+        const accountId = 'random-account-id'
+        const apiId = 'random-api-id'
+        const requestId = 'random-request-id'
+
+        const httpMethod = request.method.toUpperCase()
+        const resourcePath = request.route.path.replace(
+          new RegExp(`^/${provider.stage}`),
+          '',
+        )
 
-  // Create Auth Scheme
-  return () => ({
-    async authenticate(request, h) {
-      log.notice()
-      log.notice(
-        `Running Authorization function for ${request.method} ${request.path} (λ: ${authFunName})`,
-      )
-
-      // Get Authorization header
-      const { req } = request.raw
-
-      // Get path params
-      // aws doesn't auto decode path params - hapi does
-      const pathParams = { ...request.params }
-
-      const accountId = 'random-account-id'
-      const apiId = 'random-api-id'
-      const httpMethod = request.method.toUpperCase()
-      const resourcePath = request.route.path.replace(
-        new RegExp(`^/${provider.stage}`),
-        '',
-      )
-
-      let event = {
-        enhancedAuthContext: {},
-        methodArn: `arn:aws:execute-api:${provider.region}:${accountId}:${apiId}/${provider.stage}/${httpMethod}${resourcePath}`,
-        requestContext: {
-          accountId,
-          apiId,
-          httpMethod,
-          path: request.path,
-          requestId: 'random-request-id',
-          resourceId: 'random-resource-id',
-          resourcePath,
-          stage: provider.stage,
-        },
-        resource: resourcePath,
-      }
-
-      // Create event Object for authFunction
-      //   methodArn is the ARN of the function we are running we are authorizing access to (or not)
-      //   Account ID and API ID are not simulated
-      if (authorizerOptions.type === 'request') {
-        const { rawHeaders, url } = req
-
-        event = {
-          ...event,
+        let event = {
+          enhancedAuthContext: {},
           headers: parseHeaders(rawHeaders),
-          httpMethod: request.method.toUpperCase(),
-          multiValueHeaders: parseMultiValueHeaders(rawHeaders),
-          multiValueQueryStringParameters:
-            parseMultiValueQueryStringParameters(url),
-          path: request.path,
-          pathParameters: nullIfEmpty(pathParams),
-          queryStringParameters: parseQueryStringParameters(url),
-          type: 'REQUEST',
+          requestContext: {
+            accountId,
+            apiId,
+            domainName: `${apiId}.execute-api.us-east-1.amazonaws.com`,
+            domainPrefix: apiId,
+            requestId,
+            stage: provider.stage,
+          },
+          version: authorizerOptions.payloadVersion,
+        }
+
+        const protocol = `${request.server.info.protocol.toUpperCase()}/${
+          request.raw.req.httpVersion
+        }`
+        const currentDate = new Date()
+        const resourceId = `${httpMethod} ${resourcePath}`
+        const methodArn = `arn:aws:execute-api:${provider.region}:${accountId}:${apiId}/${provider.stage}/${httpMethod}${resourcePath}`
+
+        let authorization
+        if (identitySourceType === IDENTITY_SOURCE_TYPE_HEADER) {
+          const headers = request.raw.req.headers ?? {}
+          authorization = headers[identitySourceField]
+        } else if (identitySourceType === IDENTITY_SOURCE_TYPE_QUERYSTRING) {
+          const queryStringParameters = parseQueryStringParameters(url) ?? {}
+          authorization = queryStringParameters[identitySourceField]
+        } else {
+          throw new Error(
+            `No Authorization source has been specified. This should never happen. (λ: ${authFunName})`,
+          )
+        }
+
+        if (authorization === undefined) {
+          throw new Error(
+            `Identity Source is null for ${identitySourceType} ${identitySourceField} (λ: ${authFunName})`,
+          )
         }
-      } else {
-        const authorization = req.headers[identityHeader]
 
         const identityValidationExpression = new RegExp(
           authorizerOptions.identityValidationExpression,
@@ -95,82 +90,208 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
           identityValidationExpression.test(authorization)
         const finalAuthorization = matchedAuthorization ? authorization : ''
 
-        log.debug(`Retrieved ${identityHeader} header "${finalAuthorization}"`)
+        log.debug(
+          `Retrieved ${identitySourceField} ${identitySourceType} "${finalAuthorization}"`,
+        )
 
-        event = {
-          ...event,
-          authorizationToken: finalAuthorization,
-          type: 'TOKEN',
+        if (authorizerOptions.payloadVersion === '1.0') {
+          event = {
+            ...event,
+            authorizationToken: finalAuthorization,
+            httpMethod: request.method.toUpperCase(),
+            identitySource: finalAuthorization,
+            methodArn,
+            multiValueHeaders: parseMultiValueHeaders(rawHeaders),
+            multiValueQueryStringParameters:
+              parseMultiValueQueryStringParameters(url),
+            path: request.path,
+            pathParameters: nullIfEmpty(pathParams),
+            queryStringParameters: parseQueryStringParameters(url),
+            requestContext: {
+              extendedRequestId: requestId,
+              httpMethod,
+              path: request.path,
+              protocol,
+              requestTime: currentDate.toString(),
+              requestTimeEpoch: currentDate.getTime(),
+              resourceId,
+              resourcePath,
+              stage: provider.stage,
+            },
+            resource: resourcePath,
+          }
         }
-      }
 
-      const lambdaFunction = lambda.get(authFunName)
-      lambdaFunction.setEvent(event)
+        if (authorizerOptions.payloadVersion === '2.0') {
+          event = {
+            ...event,
+            identitySource: [finalAuthorization],
+            rawPath: request.path,
+            rawQueryString: getRawQueryParams(url),
+            requestContext: {
+              http: {
+                method: httpMethod,
+                path: resourcePath,
+                protocol,
+              },
+              routeKey: resourceId,
+              time: currentDate.toString(),
+              timeEpoch: currentDate.getTime(),
+            },
+            routeArn: methodArn,
+            routeKey: resourceId,
+          }
+        }
 
-      try {
-        const result = await lambdaFunction.runHandler()
-        if (result === 'Unauthorized') return Boom.unauthorized('Unauthorized')
+        //   methodArn is the ARN of the function we are running we are authorizing access to (or not)
+        //   Account ID and API ID are not simulated
+        if (authorizerOptions.type === 'request') {
+          event = {
+            ...event,
+            type: 'REQUEST',
+          }
+        } else {
+          // This is safe since type: 'TOKEN' cannot have payload format 2.0
+          event = {
+            ...event,
+            type: 'TOKEN',
+          }
+        }
+
+        const lambdaFunction = lambda.get(authFunName)
+        lambdaFunction.setEvent(event)
+
+        try {
+          const result = await lambdaFunction.runHandler()
+
+          if (authorizerOptions.enableSimpleResponses) {
+            if (result.isAuthorized) {
+              const authorizer = {
+                integrationLatency: '42',
+                ...result.context,
+              }
+              return h.authenticated({
+                credentials: {
+                  authorizer,
+                  context: result.context || {},
+                },
+              })
+            }
+            return Boom.forbidden(
+              'User is not authorized to access this resource',
+            )
+          }
+
+          if (result === 'Unauthorized')
+            return Boom.unauthorized('Unauthorized')
+
+          // Validate that the policy document has the principalId set
+          if (!result.principalId) {
+            log.notice(
+              `Authorization response did not include a principalId: (λ: ${authFunName})`,
+            )
+
+            return Boom.forbidden('No principalId set on the Response')
+          }
+
+          if (
+            !authCanExecuteResource(
+              result.policyDocument,
+              event.methodArn || event.routeArn,
+            )
+          ) {
+            log.notice(
+              `Authorization response didn't authorize user to access resource: (λ: ${authFunName})`,
+            )
+
+            return Boom.forbidden(
+              'User is not authorized to access this resource',
+            )
+          }
+
+          // validate the resulting context, ensuring that all
+          // values are either string, number, or boolean types
+          if (result.context) {
+            const validationResult = authValidateContext(
+              result.context,
+              authFunName,
+            )
+
+            if (validationResult instanceof Error) {
+              return validationResult
+            }
+
+            result.context = validationResult
+          }
 
-        // Validate that the policy document has the principalId set
-        if (!result.principalId) {
           log.notice(
-            `Authorization response did not include a principalId: (λ: ${authFunName})`,
+            `Authorization function returned a successful response: (λ: ${authFunName})`,
           )
 
-          return Boom.forbidden('No principalId set on the Response')
-        }
+          const authorizer = {
+            integrationLatency: '42',
+            principalId: result.principalId,
+            ...result.context,
+          }
 
-        if (!authCanExecuteResource(result.policyDocument, event.methodArn)) {
+          // Set the credentials for the rest of the pipeline
+          return h.authenticated({
+            credentials: {
+              authorizer,
+              context: result.context,
+              principalId: result.principalId,
+              usageIdentifierKey: result.usageIdentifierKey,
+            },
+          })
+        } catch {
           log.notice(
-            `Authorization response didn't authorize user to access resource: (λ: ${authFunName})`,
+            `Authorization function returned an error response: (λ: ${authFunName})`,
           )
 
-          return Boom.forbidden(
-            'User is not authorized to access this resource',
-          )
+          return Boom.unauthorized('Unauthorized')
         }
+      },
+    })
+  }
 
-        // validate the resulting context, ensuring that all
-        // values are either string, number, or boolean types
-        if (result.context) {
-          const validationResult = authValidateContext(
-            result.context,
-            authFunName,
-          )
+  const checkForIdentitySourceMatch = (exp, expectedLength) => {
+    const identitySourceMatch = exp.exec(authorizerOptions.identitySource)
 
-          if (validationResult instanceof Error) {
-            return validationResult
-          }
+    if (!identitySourceMatch || identitySourceMatch.length !== expectedLength) {
+      return undefined
+    }
+    return identitySourceMatch[expectedLength - 1]
+  }
 
-          result.context = validationResult
-        }
+  if (
+    authorizerOptions.type !== 'request' ||
+    authorizerOptions.identitySource
+  ) {
+    const headerRegExp = /^(method.|\$)request.header.((?:\w+-?)+\w+)$/
+    const queryStringRegExp =
+      /^(method.|\$)request.querystring.((?:\w+-?)+\w+)$/
 
-        log.notice(
-          `Authorization function returned a successful response: (λ: ${authFunName})`,
-        )
+    const identityHeaderResult = checkForIdentitySourceMatch(headerRegExp, 3)
+    if (identityHeaderResult !== undefined) {
+      identitySourceField = identityHeaderResult.toLowerCase()
+      identitySourceType = IDENTITY_SOURCE_TYPE_HEADER
+      return finalizeAuthScheme()
+    }
 
-        const authorizer = {
-          integrationLatency: '42',
-          principalId: result.principalId,
-          ...result.context,
-        }
+    const identityQueryStringResult = checkForIdentitySourceMatch(
+      queryStringRegExp,
+      3,
+    )
+    if (identityQueryStringResult !== undefined) {
+      identitySourceField = identityQueryStringResult
+      identitySourceType = IDENTITY_SOURCE_TYPE_QUERYSTRING
+      return finalizeAuthScheme()
+    }
 
-        // Set the credentials for the rest of the pipeline
-        return h.authenticated({
-          credentials: {
-            authorizer,
-            context: result.context,
-            principalId: result.principalId,
-            usageIdentifierKey: result.usageIdentifierKey,
-          },
-        })
-      } catch {
-        log.notice(
-          `Authorization function returned an error response: (λ: ${authFunName})`,
-        )
+    throw new Error(
+      `Serverless Offline only supports retrieving tokens from headers and querystring parameters (λ: ${authFunName})`,
+    )
+  }
 
-        return Boom.unauthorized('Unauthorized')
-      }
-    },
-  })
+  return finalizeAuthScheme()
 }

package/src/utils/getRawQueryParams.js

@@ -0,0 +1,11 @@
+import parseQueryStringParameters from './parseQueryStringParameters.js'
+
+export default function getRawQueryParams(url) {
+  const queryParams = parseQueryStringParameters(url) || {}
+  return Object.keys(queryParams)
+    .reduce(function reducer(accumulator, currentKey) {
+      accumulator.push(`${currentKey}=${queryParams[currentKey]}`)
+      return accumulator
+    }, [])
+    .join('&')
+}

package/src/utils/index.js

@@ -7,6 +7,7 @@ export { default as formatToClfTime } from './formatToClfTime.js'
 export { default as generateHapiPath } from './generateHapiPath.js'
 export { default as getApiKeysValues } from './getApiKeysValues.js'
 export { default as getHttpApiCorsConfig } from './getHttpApiCorsConfig.js'
+export { default as getRawQueryParams } from './getRawQueryParams.js'
 export { default as jsonPath } from './jsonPath.js'
 export { default as lowerCaseKeys } from './lowerCaseKeys.js'
 export { default as parseHeaders } from './parseHeaders.js'