How to get 401 status code from AWS HTTP API-Gateway

0
votes

I am using a lambda function as an authenticator for my HTTP API-Gateway and I figured three cases in Simple Response-

  1. when "isAuthenticated" = True --> 200 and the request goes through
  2. when "isAuthenticated" = False --> 403 and it return Forbidden
  3. when Authentication key is missing in the header --> 401

I want to return 401 when "isAuthenticated" = False or find a way to send 401 error code from the API-Gateway/authorizer, in the REST API-Gateway this is possible by raising an error/exception with "Unauthorized". But This is not possible for REST API-Gateway.

I have tried almost every way to send a response from simple as well as policy HTTP API-Gateway like raising Exceptions/Error/callback even returning null.

Is there a way for me to return 401 when the user is not authenticated? There are many similar questions on StackOverflow but mostly for REST API-Gateway, my question is specific to HTTP API-Gateway.

2
amazon-web-servicesaws-lambdaaws-api-gateway

2 Answers

0
votes

In your lamdba you're able to set the response code and body and return this to the HTTP API Gateway. E.g.

exports.handler = async (event) => {
    const unauthorisedResponse = {
        statusCode: 401,
        body: "Unauthorised"
    };
    return unauthorisedResponse;
};
0
votes

I'm late to this (stumbled here looking for something else) but the answer in short is this NO you can't.

HTTP API is specifically made to be simpler and less config thus less freedom to return the response codes you want.

For anyone coming across this here is a little more info on how simple lambda authorizers work for HTTP API (not REST API).

Using HTTP API, make the lambda authoriser have simple response format (not IAM). And return the following json from your function:

return {
    "isAuthorized": false/true,
    "context": {
        "somethingLikeUserIdOptional": 123,
    }
}

Returning isAuthorized = false, will cause HTTP Gateway to return a 403 (Forbidden) to the caller automatically. Omitting the required Identity Source (parameters/headers) for your authoriser will return a 401 Unauthorized without executing your lambda. Obviously isAuthorized = true returns a 200 Success, and it executes the next lambda for the API route with the stuff you put in context.

See here for more info: Lambda Authorizers AWS Docs

See here for details about status codes returned and a walkthrough: AWS Walkthrough from AWS Blog