add an authorization middleware to the example

sebsto · sebsto · commit 99fa4528e072 · 2025-09-05T19:29:00.000+02:00
diff --git a/Examples/quoteapi/Sources/LambdaAuthorizer/main.swift b/Examples/quoteapi/Sources/LambdaAuthorizer/main.swift
@@ -77,19 +77,23 @@ let simpleAuthorizerHandler:
 
         context.logger.debug("+++ Simple Authorizer called +++")
 
-        guard let authToken = request.headers["authorization"],
-            authToken == "Bearer 123"
+        guard let authToken = request.headers["authorization"]
         else {
-            context.logger.warning("Missing or invalid Authorization header")
+            context.logger.warning("Missing Authorization header")
             return .init(isAuthorized: false, context: [:])
         }
 
+        // do not take an authorization decision here.
+        // bring the token to the OpenAPI service and let the developer
+        // verify authorization there.
+
         return APIGatewayLambdaAuthorizerSimpleResponse(
             // this is the authorization decision: yes or no
             isAuthorized: true,
 
             // this is additional context we want to return to the caller
-            context: ["abc1": "xyz1"]
+            // these values can be retrieved in requestContext.authorizer of the APIGatewayv2 request
+            context: ["token": authToken]
         )
     }
 
diff --git a/Examples/quoteapi/Sources/QuoteAPI/AuthenticateUserMiddleware.swift b/Examples/quoteapi/Sources/QuoteAPI/AuthenticateUserMiddleware.swift
@@ -67,14 +67,16 @@ extension AuthenticationServerMiddleware: ServerMiddleware {
         next: @Sendable (HTTPRequest, HTTPBody?, ServerRequestMetadata) async throws -> (HTTPResponse, HTTPBody?)
     ) async throws -> (HTTPResponse, HTTPBody?) {
         // Extracts the `Authorization` value, if present.
+        // Even if when we use a Lambda authorizer, the original authorization header is forwarded
         // If no `Authorization` header field value was provided, no User is injected into
         // the task local.
         guard let authorizationHeaderFieldValue = request.headerFields[.authorization] else {
             return try await next(request, body, metadata)
         }
+
         // Delegate the authentication logic to the closure.
         let user = authenticate(authorizationHeaderFieldValue)
         // Inject the authenticated user into the task local and call the next middleware.
         return try await User.$current.withValue(user) { try await next(request, body, metadata) }
     }
-}
+}
diff --git a/Examples/quoteapi/Sources/QuoteAPI/QuoteService.swift b/Examples/quoteapi/Sources/QuoteAPI/QuoteService.swift
@@ -24,16 +24,23 @@ struct QuoteServiceImpl: APIProtocol, OpenAPILambdaHttpApi {
 
     let logger: Logger
 
-    func register(transport: OpenAPILambdaTransport, middlewares: [ServerMiddleware]) throws {
+    func register(transport: OpenAPILambdaTransport) throws {
+
         // you have a chance here to customize the routes, for example
         try transport.router.get("/health") { _, _ in
             "OK"
         }
+        logger.trace("Available Routes\n\(transport.router)")  // print the router tree (for debugging purposes)
 
+        // to log all request and their response, add a logging middleware
         let loggingMiddleware = LoggingMiddleware(logger: logger)
-        try self.registerHandlers(on: transport, middlewares: middlewares + [loggingMiddleware])
 
-        logger.trace("Available Routes\n\(transport.router)")  // print the router tree (for debugging purposes)
+        // This app includes a sample authorization middleware
+        // It transforms the bearer token into a username.
+        // The user can be access through a TaskLocal variable.
+        let authenticationMiddleware = self.authenticationMiddleware()
+
+        try self.registerHandlers(on: transport, middlewares: [loggingMiddleware, authenticationMiddleware])
     }
 
     static func main() async throws {
@@ -93,6 +100,10 @@ struct QuoteServiceImpl: APIProtocol, OpenAPILambdaHttpApi {
 
     func getQuote(_ input: Operations.getQuote.Input) async throws -> Operations.getQuote.Output {
 
+        // You can log events to the AWS Lambda logs here
+        guard let user = AuthenticationServerMiddleware.User.current else { return .unauthorized(.init()) }
+        logger.trace("GetQuote for \(user) - Started")
+
         let symbol = input.path.symbol
 
         var date: Date = Date()
@@ -111,6 +122,31 @@ struct QuoteServiceImpl: APIProtocol, OpenAPILambdaHttpApi {
             timestamp: date
         )
 
+        logger.trace("GetQuote - Returning")
+
         return .ok(.init(body: .json(price)))
     }
+
+    func authenticationMiddleware() -> AuthenticationServerMiddleware {
+        AuthenticationServerMiddleware(authenticate: { stringValue in
+            // Warning: this is an overly simplified authentication strategy, checking
+            // for well-known tokens.
+            //
+            // In your project, here you would likely call out to a library that performs
+            // a cryptographic validation, or similar.
+            //
+            // The code is for illustrative purposes only and should not be used directly.
+            switch stringValue {
+            case "123":
+                // A known user authenticated.
+                return .init(name: "Seb")
+            case "456":
+                // A known user authenticated.
+                return .init(name: "Nata")
+            default:
+                // Unknown credentials, no authenticated user.
+                return nil
+            }
+        })
+    }
 }
diff --git a/Examples/quoteapi/Sources/QuoteAPI/openapi.yaml b/Examples/quoteapi/Sources/QuoteAPI/openapi.yaml
@@ -50,5 +50,7 @@ paths:
                 $ref: '#/components/schemas/quote'
         400:
           description: Bad Request
+        401:
+          description: Authentication required
         404:
           description: Not Found
diff --git a/Examples/quoteapi/events/404.json b/Examples/quoteapi/events/404.json
@@ -0,0 +1,34 @@
+{
+  "rawQueryString": "",
+  "headers": {
+    "host": "b2k1t8fon7.execute-api.us-east-1.amazonaws.com",
+    "x-forwarded-port": "443",
+    "content-length": "0",
+    "x-amzn-trace-id": "Root=1-6571d134-63dbe8ee21efa87555d59265",
+    "x-forwarded-for": "191.95.148.219",
+    "x-forwarded-proto": "https",
+    "accept": "*/*",
+    "user-agent": "curl/8.1.2"
+  },
+  "requestContext": {
+    "apiId": "b2k1t8fon7",
+    "http": {
+      "sourceIp": "191.95.148.219",
+      "userAgent": "curl/8.1.2",
+      "method": "GET",
+      "path": "/undefined",
+      "protocol": "HTTP/1.1"
+    },
+    "timeEpoch": 1701957940365,
+    "domainPrefix": "b2k1t8fon7",
+    "accountId": "486652066693",
+    "time": "07/Dec/2023:14:05:40 +0000",
+    "stage": "$default",
+    "domainName": "b2k1t8fon7.execute-api.us-east-1.amazonaws.com",
+    "requestId": "Pk2gOia2IAMEPOw="
+  },
+  "isBase64Encoded": false,
+  "version": "2.0",
+  "routeKey": "$default",
+  "rawPath": "/undefined"
+}
diff --git a/Examples/quoteapi/events/GetQuote.json b/Examples/quoteapi/events/GetQuote.json
@@ -8,7 +8,8 @@
     "x-forwarded-for": "191.95.148.219",
     "x-forwarded-proto": "https",
     "accept": "*/*",
-    "user-agent": "curl/8.1.2"
+    "user-agent": "curl/8.1.2",
+    "authorization": "Bearer 123"
   },
   "requestContext": {
     "apiId": "b2k1t8fon7",
@@ -19,6 +20,11 @@
       "path": "/stocks/AAPL",
       "protocol": "HTTP/1.1"
     },
+    "authorizer": {
+            "lambda": {
+                "abc1": "xyz1"
+            }
+    },
     "timeEpoch": 1701957940365,
     "domainPrefix": "b2k1t8fon7",
     "accountId": "486652066693",
diff --git a/Sources/OpenAPILambdaHandler.swift b/Sources/OpenAPILambdaHandler.swift
@@ -39,7 +39,7 @@ public struct OpenAPILambdaHandler<OALS: OpenAPILambdaService>: LambdaHandler, S
     public init(withService openAPILambdaService: OALS) throws {
         self.openAPIService = openAPILambdaService
         self.transport = OpenAPILambdaTransport(router: TrieRouter())
-        try self.openAPIService.register(transport: self.transport, middlewares: [])
+        try self.openAPIService.register(transport: self.transport)
     }
 
     /// The Lambda handling method.
diff --git a/Sources/OpenAPILambdaService.swift b/Sources/OpenAPILambdaService.swift
@@ -27,8 +27,8 @@ public protocol OpenAPILambdaService: Sendable {
     /// Injects the transport.
     ///
     /// This is where your OpenAPILambdaService implementation must register the transport
-    func register(transport: OpenAPILambdaTransport, middlewares: [ServerMiddleware]) throws
-
+    func register(transport: OpenAPILambdaTransport) throws
+    
     /// Convert from `Event` type to `OpenAPILambdaRequest`
     /// - Parameters:
     ///   - context: Lambda context
@@ -55,13 +55,4 @@ extension OpenAPILambdaService {
     }
 }
 
-// extension OpenAPILambdaService {
 
-//     /// Injects the transport.
-//     /// This is a convenience method that provides an empty middleware list by default
-//     ///
-//     /// This is where your OpenAPILambdaService implementation must register the transport
-//     public func register(transport: OpenAPILambdaTransport, middleware: [ServerMiddleware] = []) throws {
-//         try register(transport: transport, middleware: middleware)
-//     }
-// }

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ public struct OpenAPILambdaHandler<OALS: OpenAPILambdaService>: LambdaHandler, S`
`39`	`39`	`public init(withService openAPILambdaService: OALS) throws {`
`40`	`40`	`self.openAPIService = openAPILambdaService`
`41`	`41`	`self.transport = OpenAPILambdaTransport(router: TrieRouter())`
`42`		`- try self.openAPIService.register(transport: self.transport, middlewares: [])`
	`42`	`+ try self.openAPIService.register(transport: self.transport)`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`/// The Lambda handling method.`