1

我在我的架构中使用 Cognito、API Gateway 和 Lambda 函数。

在客户端上,我使用 AWS Amplify.API 发出请求,并且该请求在到达 API 网关后由 Cognito 授权。如果请求被授权,它会被传递给 Lambda 函数,我需要在其中访问发出请求的登录用户,以便能够运行我的业务逻辑。

在 Lambda 函数的上下文中,我可以访问一些环境变量,我CognitoUserPoolId就是其中之一。

我还可以访问通过 API 传递的任何请求,位于event.

{
  "tok": {
    "resource": "/some_resource",
    "path": "/some_resource",
    "httpMethod": "GET",
    "headers": {
      "Accept": "application/json",
      "Accept-Encoding": "gzip, deflate, br",
      "Accept-Language": "en-GB,en;q=0.9,sv;q=0.8,en-US;q=0.7,el;q=0.6,de;q=0.5,el-GR;q=0.4",
      "CloudFront-Forwarded-Proto": "https",
      "CloudFront-Is-Desktop-Viewer": "true",
      "CloudFront-Is-Mobile-Viewer": "false",
      "CloudFront-Is-SmartTV-Viewer": "false",
      "CloudFront-Is-Tablet-Viewer": "false",
      "CloudFront-Viewer-Country": "SE",
      "content-type": "application/json",
      "Host": "XXXXXX.execute-api.eu-central-1.amazonaws.com",
      "origin": "http://localhost:8080",
      "Referer": "http://localhost:8080/some_resource",
      "sec-fetch-dest": "empty",
      "sec-fetch-mode": "cors",
      "sec-fetch-site": "cross-site",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
      "Via": "2.0 XXXXXXXXXXXX.cloudfront.net (CloudFront)",
      "X-Amz-Cf-Id": "XXXXXXXXXXXXXXXXXXXXXXXXTelrg==",
      "x-amz-date": "20200527T233945Z",
      "x-amz-security-token": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8fR",
      "X-Amzn-Trace-Id": "Root=1-5XXXXa41-730XXXXXXXXXXabe42f1",
      "X-Forwarded-For": "XXX.XXX.XX.XXX, XXX.XXX.XXX.XXX",
      "X-Forwarded-Port": "443",
      "X-Forwarded-Proto": "https"
    },
    "multiValueHeaders": {
      "Accept": [
        "application/json"
      ],
      "Accept-Encoding": [
        "gzip, deflate, br"
      ],
      "Accept-Language": [
        "en-GB,en;q=0.9,sv;q=0.8,en-US;q=0.7,el;q=0.6,de;q=0.5,el-GR;q=0.4"
      ],
      "CloudFront-Forwarded-Proto": [
        "https"
      ],
      "CloudFront-Is-Desktop-Viewer": [
        "true"
      ],
      "CloudFront-Is-Mobile-Viewer": [
        "false"
      ],
      "CloudFront-Is-SmartTV-Viewer": [
        "false"
      ],
      "CloudFront-Is-Tablet-Viewer": [
        "false"
      ],
      "CloudFront-Viewer-Country": [
        "SE"
      ],
      "content-type": [
        "application/json"
      ],
      "Host": [
        "XXXXXX.execute-api.eu-central-1.amazonaws.com"
      ],
      "origin": [
        "http://localhost:8080"
      ],
      "Referer": [
        "http://localhost:8080/some_resource"
      ],
      "sec-fetch-dest": [
        "empty"
      ],
      "sec-fetch-mode": [
        "cors"
      ],
      "sec-fetch-site": [
        "cross-site"
      ],
      "User-Agent": [
        "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
      ],
      "Via": [
        "2.0 XXXXXXXXXXXX.cloudfront.net (CloudFront)"
      ],
      "X-Amz-Cf-Id": [
        "XXXXXXXXXXXXXXXXXXXXXXXXTelrg=="
      ],
      "x-amz-date": [
        "20200527T233945Z"
      ],
      "x-amz-security-token": [
        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8fR"
      ],
      "X-Amzn-Trace-Id": [
        "Root=1-5XXXXa41-730XXXXXXXXXXabe42f1"
      ],
      "X-Forwarded-For": [
        "XXX.XXX.XX.XXX, XXX.XXX.XXX.XXX"
      ],
      "X-Forwarded-Port": [
        "443"
      ],
      "X-Forwarded-Proto": [
        "https"
      ]
    },
    "queryStringParameters": null,
    "multiValueQueryStringParameters": null,
    "pathParameters": null,
    "stageVariables": null,
    "requestContext": {
      "resourceId": "5qXXXXXXX",
      "resourcePath": "/some_resource",
      "httpMethod": "GET",
      "extendedRequestId": "NNwKXXXXXXXXX=",
      "requestTime": "27/May/2020:23:39:45 +0000",
      "path": "/dev/some_resource",
      "accountId": "18XXXXXXXX",
      "protocol": "HTTP/1.1",
      "stage": "dev",
      "domainPrefix": "XXXXXX",
      "requestTimeEpoch": 1590622785474,
      "requestId": "XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX",
      "identity": {
        "cognitoIdentityPoolId": "eu-central-1:XXXXXX-YYY-YYYY-YYYY-YYYYY",
        "accountId": "181606720624",
        "cognitoIdentityId": "eu-central-1:XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX",
        "caller": "SOME_STRING_HERE:CognitoIdentityCredentials",
        "sourceIp": "XXX.XXX.XXX.XXX",
        "principalOrgId": null,
        "accessKey": "ACCESS_KEY_HERE",
        "cognitoAuthenticationType": "authenticated",
        "cognitoAuthenticationProvider": "cognito-idp.eu-central-1.amazonaws.com/eu-central-1_XXXXXX,cognito-idp.eu-central-1.amazonaws.com/eu-central-1_XXXXXX:CognitoSignIn:XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX",
        "userArn": "arn:aws:sts::XXXXXX:assumed-role/amplify-XXXXXX-dev-XXXXXX-authRole/CognitoIdentityCredentials",
        "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
        "user": "SOME_STRING_HERE:CognitoIdentityCredentials"
      },
      "domainName": "XXXXXX.execute-api.eu-central-1.amazonaws.com",
      "apiId": "XXXXXX"
    },
    "body": null,
    "isBase64Encoded": false
  }
}

有了所有这些信息,我如何访问发出请求的用户的用户属性?

我一直在研究: Boto3 CognitoIdentityProvider.get_user()Boto3 CognitoIdentityProvider.admin_get_user(),但是在 Lambda 函数的上下文中两者都需要AccessTokenoruserId并且两者都不可用。我想到的唯一方法是在请求的有效负载中传递一些额外的信息,但这似乎并不是真正检索用户属性的最佳方法。

编辑

我没有在 API 上使用自定义授权方。在使用 Amplify 设置 API 时,我选择了受保护的路径,并且所有请求都针对 Cognito 用户池进行了身份验证/授权。之后amplify push我可以看到部署的 APIAWS_IAMAuth所有资源的方法请求下。

Amplify.API.get发出请求时包括授权标头,更具体地说:

:authority: XXXXXX.execute-api.eu-central-1.amazonaws.com
:method: GET
:path: /dev/some_resource
:scheme: https
accept: application/json
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,sv;q=0.8,en-US;q=0.7,el;q=0.6,de;q=0.5,el-GR;q=0.4
authorization: AWS4-HMAC-SHA256 Credential=ASIAXXXXXXXX/20200528/eu-central-1/execute-api/aws4_request, SignedHeaders=accept;content-type;host;x-amz-date;x-amz-security-token, Signature=b6a7aXXX1c447bXXX...XXX
content-type: application/json
origin: http://localhost:8080
referer: http://localhost:8080/dashboard
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
x-amz-date: 20200528T075958Z
x-amz-security-token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX...XXXXXXXXXX

API 资源通过 Lambda 代理集成集成到 Lambda 函数。我可以看到正在调用 Lambda 函数,因此请求已被授权。但是,我event在 Lambda 中所拥有的只是我在上面第一个剪辑中粘贴的内容。

鉴于这是一个代理集成,我希望 API 上下文中的所有内容都应该转发到 API 后面的 Lambda。但是,我看不到如何使用我在 Lambda 中提供的任何信息来访问 user_attributes。任何指针?

编辑 2

我现在正在研究使用自定义标头从客户端传递与用户相关的数据,可能类似于:

'x-user-sub': '58ce94f6-53vd-4s3e-b088-cd6f85s0ff43'

然后在我的 Lambda 函数中使用以下内容来获取用户属性:

  c_client = boto3.client('cognito-idp')
  response = c_client.admin_get_user(
    UserPoolId='eu-central-1_XXXXXX',
    Username='58ce94f6-53vd-4s3e-b088-cd6f85s0ff43'
  )

以上返回:

{
  'Username': '58ce94f6-53vd-4s3e-b088-cd6f85s0ff43',
  'UserAttributes': [
    {
      'Name': 'sub',
      'Value': '58ce94f6-53vd-4s3e-b088-cd6f85s0ff43'
    },
    {
      'Name': 'email_verified',
      'Value': 'true'
    },
    {
      'Name': 'phone_number_verified',
      'Value': 'true'
    },
    {
      'Name': 'phone_number',
      'Value': '+46XXXXXXXXXX'
    },
    {
      'Name': 'email',
      'Value': 'XXXXXX.XXXXX@YYYY.com'
    }
  ],
  'UserCreateDate': datetime.datetime(2020, 5, 14, 15, 43, 3, 370000, tzinfo=tzlocal()),
  'UserLastModifiedDate': datetime.datetime(2020, 5, 15, 16, 32, 43, 424000, tzinfo=tzlocal()),
  'Enabled': true,
  'UserStatus': 'CONFIRMED',
  'ResponseMetadata': {
    'RequestId': 'e441edd4-XXX-46ba-XXX-922691471f2c',
    'HTTPStatusCode': 200,
    'HTTPHeaders': {
      'date': 'Thu, 28 May 2020 12:58:18 GMT',
      'content-type': 'application/x-amz-json-1.1',
      'content-length': '431',
      'connection': 'keep-alive',
      'x-amzn-requestid': 'e441edd4-XXX-46ba-XXX-922691471f2c'
    },
    'RetryAttempts': 0
  }
}

这个解决方案有什么明显的我遗漏的吗?我是否通过sub在客户标头中传递任何安全风险?

很感谢任何形式的帮助。

4

1 回答 1

1

我认为这里的这篇文章可能会对您有所帮助。

特别是这部分:

API Gateway 的 Cognito 用户池授权者

API Gateway 最近推出了对 Cognito 用户池授权器的支持。如果您使用 Cognito 用户池授权者,则无需设置自己的自定义授权者来验证令牌。使用 Cognito 用户池授权器配置 API 方法后,您可以将 Authorization 标头中未过期的 ID 令牌传递给您的 API 方法。如果它是您的用户池用户的有效 ID 令牌,则您可以使用“$context.authorizer.claims”访问 API 中的所有 ID 令牌声明。

例如,“$context.authorizer.claims.email”将返回用户的电子邮件地址,“$context.authorizer.claims.sub”将返回您用户的唯一标识符。如果 ID 令牌已过期或无效,Cognito 用户池授权方将向调用方发送未授权 (401) 响应。

这里有一些关于如何覆盖 apigateway 请求/响应参数的示例

在这里,您可以看到如何设置集成以及将哪些数据传递到 API 网关。

值得检查数据映射访问记录的参考

于 2020-05-28T07:33:10.430 回答