Geek Answers Handbook

Zappa custom authorizer for cors flask

I am using flash cores for Ams Python AWS lambda API. I deployed it with Zappa, it worked as intended. However, cors doesn't work with a custom authorizer inspired by https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/blob/master/blueprints/python/api-gateway-authorizer-python.py

I changed the authorizer code with try / exception and generated a policy for the OPTION method for the exception, however the Option method returns 401.

I am not opposed to a workaround if this makes the situation easier.

thanks

I tried one of the proposed solutions: set the headers for 401 responses in the Gateway API, unfortunately, a preliminary check of the browser expects a successful status code.

Refresh. I remembered the implementation of my authorizer, and also considered using the aws authentication service.

+8
python amazon-web-services aws-lambda zappa flask-cors
source share
2 answers

This API Gateway issue (which has been confirmed by AWS people) has been around for several months.

Fortunately, recently (June 2017) a way has been published to fix it using Gateway Responses .

In the Gateway API console, go to your API and then Gateway Responses .

Gateway Responses

Find Unauthorized (401) and add the following headers (you can use your domains, of course):

Access-Control-Allow-Headers: '*' Access-Control-Allow-Origin: '*'

See image below:

Unauthorized

+1
source share

  • Getting 401 from your OPTIONS method in the Gateway API is very unusual. I see 403 and the missing CORS headers on OPTIONS calls are very few, but usually not 401. If there was a problem with your authorizer, I would expect 401 on the next POST , not on the OPTIONS call.

  • You also mentioned that you changed the authorizer code in order to handle this.

Without seeing the configuration of the API gateway, I can’t say for sure, but these two points indicate the possibility. It looks like your user authorizer can connect to your OPTIONS method (in addition to POST or whatever you are trying to open). It should not be.

For example, if you attach a custom type authorizer (token) to the OPTIONS method of an API gateway resource, and then make an OPTIONS call without an authorization header, you will get 401 .

A user authorizer should only be bound to methods that you are explicitly viewing. In many cases, this is just a POST , but may include others such as PUT , DELETE , etc.

If this does not help, you can update this question with your API gateway configuration and OPTIONS reject / request headers.

UPDATE

I deployed the HelloWorld flash drive application using Zappa and I think I was able to reproduce your problem. I use the plan you contacted for custom autorun. Changing policy.denyAllMethods() to policy.allowAllMethods() was the only change I made for it.

When I deploy, something like this is created:

APIG configuration without CORS

I managed to get 401 from OPTIONS calls that did not contain an Authorization header.

I added "cors": true to my zappa_settings , which created something more than CORS.

APIG with CORS

This configuration looks better. No more than 401 from OPTIONS , whether the Authorization header is present or not.

My zappa_settings with the added "cors": true looks like this:

 { "dev": { "app_function": "hello.app", "aws_region": "us-east-1", "profile_name": null, "project_name": "flask", "runtime": "python3.6", "s3_bucket": "zappa-xxxxxxxxx", "cors": true }, "authorizer": { "arn": "arn:aws:lambda:us-east-1:xxxxxxxxxxx:function:flask-authorizer", "result_ttl": 0 } }
+1
source share

More articles:


All Articles