The documentation says that in order to return a 401 Unauthorized we have to:
# By specifying an empty list of routes,
# we're saying this user is not authorized
# for any URLs, which will result in an
# Unauthorized response.
return AuthResponse(routes=[], principal_id='user')
But this is not true because in this way the Authorizer will produce:
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 60
Content-Type: application/json
Date: Tue, 23 Oct 2018 16:56:01 GMT
Via: *** *********************************************** ************
X-Amz-Cf-Id: ********************************************************
X-Cache: Error from cloudfront
x-amz-apigw-id: ****************
x-amzn-ErrorType: AccessDeniedException
x-amzn-RequestId: ************************************
{
"Message": "User is not authorized to access this resource"
}
API-Gateway-Execution-Logs_**********/dev ******************************** 2018-10-23T16:56:01.286Z (************************************) Successfully completed authorizer execution
API-Gateway-Execution-Logs_**********/dev ******************************** 2018-10-23T16:56:01.287Z (************************************) The client is not authorized to perform this operation.
If instead I try to use the UnauthorizedError it will produce:
HTTP/1.1 500 Internal Server Error
Connection: keep-alive
Content-Length: 16
Content-Type: application/json
Date: Tue, 23 Oct 2018 16:53:08 GMT
Via: *** *********************************************** ************
X-Amz-Cf-Id: ********************************************************
X-Cache: Error from cloudfront
x-amz-apigw-id: ****************
x-amzn-ErrorType: AuthorizerConfigurationException
x-amzn-RequestId: ************************************
{
"message": null
}
```bash
API-Gateway-Execution-Logs_**/dev ********* 2018-10-23T16:53:08.992Z (**********) Execution failed due to configuration error: Authorizer function failed with response body: {"errorMessage": "UnauthorizedError: Authorization failed", "errorType": "UnauthorizedError", "stackTrace": [["/var/task/chalice/app.py", 789, "__call__", "result = self.func(auth_request)"], ["/var/task/app.py", 82, "with_profiling", "ret = fn(args, **kwargs)"], ["/var/task/app.py", 440, "user_auth", "raise UnauthorizedError('Authorization failed')"]]}
The right way to produce a `401 Unauthorized` is to `raise Exception('Unauthorized')`:
```http
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 26
Content-Type: application/json
Date: Tue, 23 Oct 2018 16:51:02 GMT
Via: *** *********************************************** ************
X-Amz-Cf-Id: ********************************************************
X-Cache: Error from cloudfront
x-amz-apigw-id: ****************
x-amzn-ErrorType: UnauthorizedException
x-amzn-RequestId: ************************************
{
"message": "Unauthorized"
}
API-Gateway-Execution-Logs_**********/dev ******************************** 2018-10-23T16:51:02.286Z (d31c7d2e-d6e3-11e8-9223-552ce5a2e72f) Unauthorized request: ************************************
So I think that the documentation and the examples are misleading.
claudiopastorini
All 2 comments
I can confirm the example/documentation does not look correct, especially for the empty list part. We will look to get it updated. Here is the app I was testing with for reference:
from chalice import Chalice, AuthResponse, UnauthorizedError
app = Chalice(app_name='auth')
@app.authorizer(ttl_seconds=300)
def dummy_auth(auth_request):
if auth_request.token == 'allow':
return AuthResponse(routes=['/builtin'], principal_id='user')
else:
raise Exception('Unauthorized')
@app.route('/builtin', authorizer=dummy_auth)
def index():
return {'hello': 'world'}
kyleknap
on 9 Jan 2019
This behaviour also seems to be inconsistent with the local server.
dionpeters
on 14 Mar 2019
Related issues
vrinda1410
路
3Comments
mrdavidhanson
路
3Comments
whatsdis
路
4Comments
carlkibler
路
4Comments
AtaruOhto
路
3Comments
Most helpful comment
This behaviour also seems to be inconsistent with the local server.