无服务器框架 - 带有授权方 COGNITO_USER_POOLS 的 Lambda 函数始终返回“未授权”答案

【问题标题】：Serverless framework - Lambda function with Authorizer COGNITO_USER_POOLS always return "Unauthorized"无服务器框架 - 带有授权方 COGNITO_USER_POOLS 的 Lambda 函数始终返回“未授权”
【发布时间】：2020-02-05 04:32:44
【问题描述】：

我无法弄清楚我的授权出了什么问题。

我有一个 Hello 函数，它只返回一个简单的静态消息。如果我在没有设置“授权者”的情况下进行部署，它可以工作。我已经在 Postman 上进行了测试。当我尝试添加授权人时，问题就开始了。

我的 Cognito 可以正常工作。在我的前端，我可以注册，然后登录，然后从此登录会话中获取令牌。

当我去 Postman 进行测试时，我总是得到“未经授权”的答案。在邮递员上，我测试了 GET 方法，在“标题”选项卡上，我添加了“授权”属性并粘贴了我从登录会话中获得的令牌的值。我还在某些地方推荐的前缀“bearer”的值字段上对此进行了测试。没有成功。

过去一周我一直在尝试解决这个问题。拜托，任何帮助都会非常有用。

serverless.yml

provider:
  name: aws
  runtime: nodejs10.x
  stage: dev
  region: eu-west-1
  environment: 
    MY_TABLE: ${self:custom.myStage}_${self:custom.settings.tb_items}
    MY_STAGE: ${self:custom.myStage}
    MY_DOMAIN: ${self:custom.myDomain}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "dynamodb:GetItem"
        - "dynamodb:PutItem"
        - "dynamodb:UpdateItem"
        - "dynamodb:DeleteItem"
        - "dynamodb:Scan"
      Resource: "*"

functions:
  hello:
    handler: ${self:custom.pathFunc}/phraseOption.hello
    events:
      - http: 
          method: GET 
          path: hello
          cors: true
          integration: lambda-proxy
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId:
              Ref: ApiGatewayAuthorizer

resources:
  Resources:
    CognitoUserPool:
      Type: "AWS::Cognito::UserPool"
      DeletionPolicy: Retain
      Properties:
        MfaConfiguration: OFF
        UserPoolName: ${self:custom.myStage}_aePool
        EmailVerificationSubject: 'Your verification Code'
        EmailVerificationMessage: 'Use this code to confirm your sign up {####}'
        AutoVerifiedAttributes:
          - email
        UsernameAttributes:
          - email
        Policies:
          PasswordPolicy:
            MinimumLength: 6
            RequireLowercase: False
            RequireNumbers: False
            RequireSymbols: False
            RequireUppercase: False
    CognitoUserPoolClient:
      Type: "AWS::Cognito::UserPoolClient"
      DeletionPolicy: Retain
      Properties:
        ClientName: ${self:custom.myStage}_aePoolClient
        GenerateSecret: False
        UserPoolId:
          Ref: CognitoUserPool
    ApiGatewayAuthorizer: 
      Type: AWS::ApiGateway::Authorizer
      Properties: 
        Name: CognitoUserPool
        Type: COGNITO_USER_POOLS
        IdentitySource: method.request.header.Authorization
        RestApiId: 
          Ref: ApiGatewayRestApi
        ProviderARNs: 
          - Fn::GetAtt:
              - CognitoUserPool
              - Arn

phraseOptions.js

module.exports.hello = (event, context, callback) => {
  const response = {
    statusCode: 200,
    body: JSON.stringify({
      message: 'Your function executed successfully!',
      input: event,
    }),
  };

  callback(null, response);
};

I can see the function was created with the correct Auth:

Also Authorizer create as expected (I guess)

Swagger

---
swagger: "2.0"
info:
  version: "2019-10-07T21:24:17Z"
  title: "XXXXXX"
host: "XXXXXX"
basePath: "/dev"
schemes:
- "https"
paths:
  /getPhrase:
    get:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
  /hello:
    get:
      responses: {}
      security:
      - CognitoUserPool: []
  /item:
    post:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
  /item/{itemId}:
    get:
      responses: {}
    put:
      responses: {}
    delete:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
  /items:
    get:
      responses: {}
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Credentials:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
securityDefinitions:
  CognitoUserPool:
    type: "apiKey"
    name: "Authorization"
    in: "header"
    x-amazon-apigateway-authtype: "cognito_user_pools"

【问题讨论】：

你也可以分享一下swagger文件吗？
我是 Serverless 的新手，好吗？据我所知，我没有使用任何 Swagger 文件。
好的，不用担心。 docs.aws.amazon.com/apigateway/latest/developerguide/…在底部
完成。我刚刚添加了它。感谢您还说明如何提供此信息 =)

标签： aws-lambda aws-api-gateway amazon-cognito serverless-framework unauthorized

【解决方案1】：

我已经弄清楚出了什么问题！

服务器端没问题。在 Postman 上测试它的问题是令牌。我使用的是“cognitoUser.signInUserSession.accessToken.jwtToken”，但应该是“cognitoUser.signInUserSession.idToken.jwtToken”。

现在一切正常。

【讨论】：

希望我能不止一次投票，我已经花了好几个小时来解决完全相同的问题