AWS lambda basic-authentication without custom authorizer

Question

I have a problem with setting up the basic authentication for my AWS lambda function written in Node.js.

The problem:
AWS lambda function which is a proxy for an additional service. This function only forwards the whole request and give the user the whole response. That's why I need to force the usage of the Authentication header and I would like to have the prompt window for passing the credentials: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

Apart from the proxy part of my lambda function, I focused on the problem with authentication and I have written this code:

export const proxy = async (event) => {
    const authorizationHeader = event.headers.Authorization;
    if (typeof authorizationHeader === undefined) {
        throw new Error("Unauthorized");
    }
    ...
};

service:
  name: proxy-auth-test

plugins:
  - serverless-webpack

provider:
  name: aws
  runtime: nodejs8.10
  memorySize: 128
  timeout: 10

functions:
  proxy-async:
    handler: handler.proxy
    events:
      - http:
          method: get
          path: api/proxy

resources:
  Resources:
    GatewayResponse:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.WWW-Authenticate: "'Basic'"
        ResponseType: UNAUTHORIZED
        RestApiId:
          Ref: 'ApiGatewayRestApi'
        StatusCode: '401'

The endpoint is working properly, but I can't get the prompt window for passing the credentials. I set up the GatewayResponse according to this https://medium.com/@Da_vidgf/http-basic-auth-with-api-gateway-and-serverless-5ae14ad0a270 but I don't wanna provide the additional lambda function which is responsible only for authorization of the users.

In my case, I can't authorize the users before executing the final lambda function because this function only forwards the request (credentials too), nothing more.

Has anyone ever tried to setup basic auth with the prompt window without the additional authorizer with the usage of serverless and AWS lambda?

Answer 1

When returning a response from an integration the WWW-Authenticate is remapped to X-Amzn-Remapped-WWW-Authenticate (1). Browsers will not handle this remapped header so they don't show a prompt.

This means that you have to move your authorization logic to the Lambda Authorizer at a HTTP request level and return 'unauthorized' to the callback as stated in the medium link that you referenced. This is the only way to return a WWW-Authenticate header as of now.

Sources:

1: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html

Answer 2

You are not returning statusCode in the response. The article you are following seems to be using Custom Authorizer that always returns 401 status code with callback('Unauthorized'). Your Lambda function needs to return appropriate error code and headers.

if (typeof authorizationHeader === undefined) {
    return {
        statusCode: 401,
        body: 'unauthorized',
        headers: {
            'WWW-Authenticate': 'Basic'
        }
    }
}