5

I am using a lambda function as an authenticator for my HTTP API-Gateway and I figured three cases in Simple Response-

  1. when "isAuthenticated" = True --> 200 and the request goes through
  2. when "isAuthenticated" = False --> 403 and it return Forbidden
  3. when Authentication key is missing in the header --> 401

I want to return 401 when "isAuthenticated" = False or find a way to send 401 error code from the API-Gateway/authorizer, in the REST API-Gateway this is possible by raising an error/exception with "Unauthorized". But This is not possible for REST API-Gateway.

I have tried almost every way to send a response from simple as well as policy HTTP API-Gateway like raising Exceptions/Error/callback even returning null.

Is there a way for me to return 401 when the user is not authenticated? There are many similar questions on StackOverflow but mostly for REST API-Gateway, my question is specific to HTTP API-Gateway.

Improve this question

4 Answers 4

Reset to default
4

I'm late to this (stumbled here looking for something else) but the answer in short is this NO you can't.

HTTP API is specifically made to be simpler and less config thus less freedom to return the response codes you want.

For anyone coming across this here is a little more info on how simple lambda authorizers work for HTTP API (not REST API).

Using HTTP API, make the lambda authoriser have simple response format (not IAM). And return the following json from your function:

return {
    "isAuthorized": false/true,
    "context": {
        "somethingLikeUserIdOptional": 123,
    }
}

Returning isAuthorized = false, will cause HTTP Gateway to return a 403 (Forbidden) to the caller automatically. Omitting the required Identity Source (parameters/headers) for your authoriser will return a 401 Unauthorized without executing your lambda. Obviously isAuthorized = true returns a 200 Success, and it executes the next lambda for the API route with the stuff you put in context.

See here for more info: Lambda Authorizers AWS Docs

See here for details about status codes returned and a walkthrough: AWS Walkthrough from AWS Blog

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Displeasing fact that the authorizer we hoped for to reduce the noise of exceptions (how the REST API authorizer was triggered to generate 401s) does not support giving 401 at all. Really basic functionality missing.-
any updates on this, since it was posted?
3

The Lambda authorizer will cause API Gateway v2 (HTTP API) to return 401 Unauthorized by returning this result:

return {errorMessage: "Unauthorized"};

The string must be "Unauthorized"; other values will result in a 500 Internal Server Error instead.

At the time of this writing, this feature appears to be undocumented.

You can also trigger a 401 response by throwing an error with the message "Unauthorized". However this will cause the Lambda Errors metric to count it as a failed invocation, whereas returning an object with the errorMessage property is counted as a successful Lambda invocation.

Improve this answer

2 Comments

Unfortunately, it returns 500 Internal Server Error
This works and should be accepted answer!
0

The only way it worked I found:

exports.handler = (event, context, callback) => {
    return callback('Unauthorized');
};

It really returns 401 HTTP code correctly.

Source: AWS docs

Improve this answer

Comments

-1

In your lamdba you're able to set the response code and body and return this to the HTTP API Gateway. E.g.

exports.handler = async (event) => {
    const unauthorisedResponse = {
        statusCode: 401,
        body: "Unauthorised"
    };
    return unauthorisedResponse;
};
Improve this answer

1 Comment

This does not work for HTTP lambda authorizer or any lambda authorizer. This only works if the lambda is used for integration, or if we are making an API using the lambda.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.