feat: request authorizers with null identitySource should return 401 (#1618)

rion18 · web-flow · commit 48c5a18e6f3d · 2022-11-25T21:06:50.000-05:00
diff --git a/src/events/http/createAuthScheme.js b/src/events/http/createAuthScheme.js
@@ -78,9 +78,12 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {
         }
 
         if (authorization === undefined) {
-          throw new Error(
+          log.error(
             `Identity Source is null for ${identitySourceType} ${identitySourceField} (λ: ${authFunName})`,
           )
+          return Boom.unauthorized(
+            'User is not authorized to access this resource',
+          )
         }
 
         const identityValidationExpression = new RegExp(
diff --git a/tests/integration/request-authorizer/request-authorizer.test.js b/tests/integration/request-authorizer/request-authorizer.test.js
@@ -64,7 +64,8 @@ describe('request authorizer tests', () => {
       },
 
       {
-        description: 'should fail with an Unauthorized error',
+        description:
+          'should fail with an Unauthorized error when identity source is explicitly not handled',
         expected: {
           error: 'Unauthorized',
           message: 'Unauthorized',
@@ -78,6 +79,19 @@ describe('request authorizer tests', () => {
         path: '/user1-header',
         status: 401,
       },
+
+      {
+        description:
+          'should fail with an Unauthorized error when identity source is not present on the request',
+        expected: {
+          error: 'Unauthorized',
+          message: 'User is not authorized to access this resource',
+          statusCode: 401,
+        },
+        options: {},
+        path: '/user1-header',
+        status: 401,
+      },
     ].forEach(doTest)
   })
 
@@ -106,7 +120,8 @@ describe('request authorizer tests', () => {
       },
 
       {
-        description: 'should fail with an Unauthorized error',
+        description:
+          'should fail with an Unauthorized error when identity source is explicitly not handled',
         expected: {
           error: 'Unauthorized',
           message: 'Unauthorized',
@@ -116,6 +131,19 @@ describe('request authorizer tests', () => {
         path: '/user1-querystring?query1=fc3e55ea-e6ec-4bf2-94d2-06ae6efe6e5c',
         status: 401,
       },
+
+      {
+        description:
+          'should fail with an Unauthorized error when identity source is not present on the request',
+        expected: {
+          error: 'Unauthorized',
+          message: 'User is not authorized to access this resource',
+          statusCode: 401,
+        },
+        options: {},
+        path: '/user1-querystring',
+        status: 401,
+      },
     ].forEach(doTest)
   })
 
@@ -152,7 +180,8 @@ describe('request authorizer tests', () => {
       },
 
       {
-        description: 'should fail with an Unauthorized error',
+        description:
+          'should fail with an Unauthorized error when identity source is explicitly not handled',
         expected: {
           error: 'Unauthorized',
           message: 'Unauthorized',
@@ -166,6 +195,19 @@ describe('request authorizer tests', () => {
         path: '/user2-header',
         status: 401,
       },
+
+      {
+        description:
+          'should fail with an Unauthorized error when identity source is not present on the request',
+        expected: {
+          error: 'Unauthorized',
+          message: 'User is not authorized to access this resource',
+          statusCode: 401,
+        },
+        options: {},
+        path: '/user2-header',
+        status: 401,
+      },
     ].forEach(doTest)
   })
 
@@ -194,7 +236,8 @@ describe('request authorizer tests', () => {
       },
 
       {
-        description: 'should fail with an Unauthorized error',
+        description:
+          'should fail with an Unauthorized error when identity source is explicitly not handled',
         expected: {
           error: 'Unauthorized',
           message: 'Unauthorized',
@@ -204,6 +247,19 @@ describe('request authorizer tests', () => {
         path: '/user2-querystring?query2=fc3e55ea-e6ec-4bf2-94d2-06ae6efe6e5c',
         status: 401,
       },
+
+      {
+        description:
+          'should fail with an Unauthorized error when identity source is not present on the request',
+        expected: {
+          error: 'Unauthorized',
+          message: 'User is not authorized to access this resource',
+          statusCode: 401,
+        },
+        options: {},
+        path: '/user2-querystring',
+        status: 401,
+      },
     ].forEach(doTest)
   })
 
@@ -240,7 +296,8 @@ describe('request authorizer tests', () => {
       },
 
       {
-        description: 'should fail with an Unauthorized error',
+        description:
+          'should fail with an Unauthorized error when identity source is explicitly not handled',
         expected: {
           error: 'Unauthorized',
           message: 'Unauthorized',
@@ -254,6 +311,19 @@ describe('request authorizer tests', () => {
         path: '/user2simple-header',
         status: 401,
       },
+
+      {
+        description:
+          'should fail with an Unauthorized error when identity source is not present on the request',
+        expected: {
+          error: 'Unauthorized',
+          message: 'User is not authorized to access this resource',
+          statusCode: 401,
+        },
+        options: {},
+        path: '/user2simple-header',
+        status: 401,
+      },
     ].forEach(doTest)
   })
 
@@ -282,7 +352,8 @@ describe('request authorizer tests', () => {
       },
 
       {
-        description: 'should fail with an Unauthorized error',
+        description:
+          'should fail with an Unauthorized error when identity source is explicitly not handled',
         expected: {
           error: 'Unauthorized',
           message: 'Unauthorized',
@@ -292,6 +363,19 @@ describe('request authorizer tests', () => {
         path: '/user2simple-querystring?query2simple=fc3e55ea-e6ec-4bf2-94d2-06ae6efe6e5c',
         status: 401,
       },
+
+      {
+        description:
+          'should fail with an Unauthorized error when identity source is not present on the request',
+        expected: {
+          error: 'Unauthorized',
+          message: 'User is not authorized to access this resource',
+          statusCode: 401,
+        },
+        options: {},
+        path: '/user2simple-querystring',
+        status: 401,
+      },
     ].forEach(doTest)
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -78,9 +78,12 @@ export default function createAuthScheme(authorizerOptions, provider, lambda) {`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`if (authorization === undefined) {`
`81`		`- throw new Error(`
	`81`	`+ log.error(`
`82`	`82`	`Identity Source is null for ${identitySourceType} ${identitySourceField} (λ: ${authFunName})`,
`83`	`83`	`)`
	`84`	`+ return Boom.unauthorized(`
	`85`	`+ 'User is not authorized to access this resource',`
	`86`	`+ )`
`84`	`87`	`}`
`85`	`88`
`86`	`89`	`const identityValidationExpression = new RegExp(`