@goodgamestudios/aws-jwt-authorizer

A flexible JWT Authorizer for Serverless functions

Usage no npm install needed!

<script type="module">
  import goodgamestudiosAwsJwtAuthorizer from 'https://cdn.skypack.dev/@goodgamestudios/aws-jwt-authorizer';
</script>

README

aws-jwt-authorizer

A flexible JWT Authorizer function for AWS Lambda

pipelinecoverage

aws-jwt-authorizer is heavily based Mohamed’s Authorizer and Secrets Manager and Chad’s ggs-serverless-jwt.

This implementation adds the following:

  • The Public Key for JWT verification is:
    • loaded from Secrets Manager
    • using a key derived from the Issuer (iss) in the JWT
    • cached in memory for a configurable amount of time
  • Almost all aspects of the Authorizer are configurable
  • has automated tests

Usage

npm add @goodgamestudios/aws-jwt-authorizer

Then modify your serverless.yml to make use of this. Add the following function with a suitable name:

function:
  ...
  jwt-authorizer:
    handler: @goodgamestudios/aws-jwt-authorizer
    name: service_stage_jwt-authorizer

Define the following environment variables,

provider:
  environment:
    JWT_AUTH_ISSUERS: A space or comma separated, case sensitive list of acceptable issuers
    GAME_STAGE: 'live' or 'test'

    # Optional
    JWT_AUTH_ALGORITHMS: Defaults to 'RS256, RS384, RS512'
    JWT_AUTH_CLOCK_TOLERANCE: 30
    AWS_SECRET_VALUE_TTL: e.g. '10 min', '20s' etc

In your existing functions, do

function:
  app:
    handler: existing_handler.app
    events:
      - http:
          path: "/path"
          method: get
          # This is the important bit!:
          authorizer:
            name: jwt-authorizer
            resultTtlInSeconds: 60
            identitySource: method.request.header.Authorization
            identityValidationExpression: '^Bearer [-0-9a-zA-Z.+/=_]*


Advanced usage

createJwtAuthorizer is fully customizable. All arguments are optional.

const createJwtAuthorizer = require('@goodgamestudios/aws-jwt-authorizer/create')

module.exports = createJwtAuthorizer({
  algorithms: 'RS256', // string or array of strings
  issuer: ['myIssuer', 'myOtherIssuer'], // string or array of strings
  clockTolerance: 60,
  getToken(event) {…},
  getPublicKey(event, decodedToken) {…},
  shouldAllow(event, verifiedToken) {…}
})
  • getToken(event) - get the JWT based on event
  • getPublicKey(event, decodedToken) - get the public key based on event and decodedToken. This key will be used to verify the token’s signature.
  • shouldAllow(event, verifiedToken) - return true if access to the requested resource should be allowed, based on the event and verifiedToken