AWS api gateway working in browser but returning 502 in fiddler

1
votes

I have a lambda function which would basically authenticate against the password stored in aws secret manager. The secret manager path would be the username and it will have the value for password. password will need to be passed in the header and username in the query. When I access the url https://{myawsurl}.execute-api.{region}.amazonaws.com/demo/{username} in a browser, I get the error password is missing in the header(which is expected). When I hit the url using fiddler I get 502 all the time.

My api gateway is simply a GET to the lambda function below:

const aws = require("aws-sdk");

const sm = new aws.SecretsManager({ region: 'us-east-1' })

const getSecrets = async (SecretId) => {
    return await new Promise((resolve, reject) => {
        sm.getSecretValue({ SecretId }, (err, result) => {
            if (err) {
                reject(err);
            }
            else {
                resolve(JSON.parse(result.SecretString));
            }
        });
    });
}

const main = async (event) => {
    console.log("Event: ", event);
    try {
        const username = event.queryStringParameters ? event.queryStringParameters.username : (event.pathParameters ? event.pathParameters.username : null);
        if (username === null || username === undefined || username.trim().length === 0) {
            if (username === null || username === undefined || username.trim().length === 0) {
                return {
                    statusCode: 400,
                    headers: {
                        "Content-Type": "application/json"
                    },
                    body: "username is missing in the url. Please add `/?username={username}` or `/{username}` in the url"
                };
            }
        }

        const password = event.headers ? event.headers.password : null;
        if (password === null || password === undefined || password.trim().length === 0) {
            return {
                statusCode: 400,
                headers: {
                    "Content-Type": "application/json"
                },
                body: "password is missing in the header"
            };
        }

        const secrets = await getSecrets(username);
        if (password !== secrets.password) {
            return {
                statusCode: 403,
                headers: {
                    "Content-Type": "application/json"
                },
                body: "Incorrect username/password"
            };
        }

        return {
            statusCode: 200,
            headers: {
                "Content-Type": "application/json"
            },
            body: "User is Authenticated"
        };
    } catch (e) {
        return {
            statusCode: 404,
            headers: {
                "Content-Type": "application/json"
            },
            body: e.message
        };
    }
}

exports.handler = main;

My fiddler request is below:

GET https://{myawsurl}.execute-api.{region}.amazonaws.com/demo/{username} HTTP/1.1
password: MyTestPassword

I saw other posts where they mentioned about having a statusCode and body being a string. I have those but still getting error...

I added/removed the headers: { "Content-Type": "application/json"}, from the response and it made no difference..

EDIT: One another thing noticed is whenever I access the api gateway url via browser, it gets logged in my api's log group. But when it is accessed using fiddler it doesn't log. Not sure why...

EDIT: After the suggestion from @ArunK, I used Postman and I found it returns the expected response from the api gateway. I assume some settings in Fiddler may be causing this to happen..

1
amazon-web-servicesaws-lambdaaws-api-gatewayfiddler
your code looks perfect to me. In the postman, can you disable Accept-Encoding auto-generated header and see if its working. i remember i sort of played around that settings cometimes ago. - Arun K
This is interesting. In Postman, it returns 200 with the response body. I didn't have to make the changes @ArunK suggested above. But fiddler is still returning 502... - user007
Now I remember, I never tested using Postman even though I said that I did in the post. I tested only in Fiddler and that is not working even now. At this point, I would assume it is some sort of settings or additional headers which are passed in fiddler may be causing this issue. I would continue with postman. Thanks @ArunK. Your suggestion made me to use Postman. I have updated the question accordingly.. - user007
Go to Tools -> Options -> Https and verify the following exists under Protocols - <client>;ssl3;tls1.0;tls1.1;tls1.2 - Amit Baranes
@AmitBaranes: That was it. Can you add it as an answer so that I can accept it? - user007

1 Answers

2
votes

Looks like the issue related to the TLS version supported by Fiddler. You need to include tls 1.0 and 1.2 since AWS API Gateway support these TLS Versions.

From the docs:

A security policy is a predefined combination of minimum TLS version and cipher suite offered by Amazon API Gateway. You can choose either a TLS version 1.2 or TLS version 1.0 security policy.

Go to Tools -> Options -> Https and verify the following exists under Protocols - <client>;ssl3;tls1.0;tls1.1;tls1.2

More about Fiddler and Modern TLS Versions.