Enforcer frameworksAWSAPI Gateway-REST API Gateway-Lambda Authorizer

Installation

The AWS API Gateway Lambda Enforcer works using API Gateway’s Lambda authorizer. The enforcer is provided as a Node.js NPM package that can be integrated into an existing Lambda authorizer or used to create a brand new Lambda authorizer.

Prerequisites

  1. An AWS REST API Gateway
  2. Node.js and NPM

Installation

Installing the enforcer consists of three main steps:

  1. Building and deploying the authorizer to AWS Lambda.
  2. Connecting the Lambda authorizer to API Gateway.
  3. Configuring first party resources in API Gateway.

Building and Deploying the Authorizer

  1. Install the enforcer package in your Node.js authorizer project.
1npm install @humansecurity/aws-api-gateway-lambda-authorizer-enforcer
  1. Integrate the enforcer into your authorizer code. The following index.ts file can be used as a basis.
1// index.ts
2import { Enforcer, Config, Res } from "@humansecurity/aws-api-gateway-lambda-authorizer-enforcer";
3
4const pxConfig = {
5  px_app_id: "<APP_ID>",
6  px_cookie_secret: "<COOKIE_SECRET>",
7  px_auth_token: "<AUTH_TOKEN>",
8  px_custom_first_party_prefix: "/<STAGE_NAME>/<APP_ID_SUFFIX>/"
9  // ... other configuration options
10};
11
12// initialize config outside the handler
13const config = new Config(pxConfig);
14
15// define an authorizer handler
16export const handler = async (req: APIGatewayRequestAuthorizerEvent): Promise<Res> => {
17  // create a new enforcer
18  const enforcer = new Enforcer(config);
19  // call enforce and await the response
20  // as early as possible in the Lambda flow
21  let response = await enforcer.enforce(req);
22
23  // if a response exists, return it immediately
24  // as no further processing is required
25  if (response) {
26    return response;
27  }
28
29  // include your custom authorization logic
30  response = {
31    principalId: "*",
32    policyDocument: {
33      Version: "2012-10-17",
34      Statement: [
35        {
36          Action: "execute-api:Invoke",
37          Effect: "Allow",
38          Resource: req.methodArn
39        }
40      ]
41    },
42    context: {}
43  };
44
45  // after creating your response, call postEnforce
46  await enforcer.postEnforce(req, response);
47  // return the response from the handler
48  return response;
49};
  1. Package and deploy the Lambda code. (Here, we use esbuild to compile the TypeScript file to ./dist/index.js, which can be deployed to the Lambda.)
1esbuild ./index.ts --bundle --minify --sourcemap --platform=node --target=es2020 --outfile=dist/index.js

Connecting the Lambda Authorizer to API Gateway

  1. Create a Lambda authorizer in your API gateway with the following features:
    • Type: REQUEST
    • Cache: no cache
1aws apigateway create-authorizer \
2--rest-api-id <rest api id> \
3--name <name> \
4--type REQUEST \
5--authorizer-uri <uri to lambda> \
6--authorizer-credentials <IAM Role arn> \
7--authorizer-result-ttl-in-seconds 0
  1. Configure custom response page so that the enforcer can return the captcha pages properly. If the enforcer decides to block it returns “Deny” response and sets the authorizer context.pxResponseBody with the block page (HTML or JSON). Therefore, you should change the API Gateway response to display this response body instead of the default.
1aws apigateway put-gateway-response \
2--rest-api-id <rest api id> \
3--response-type ACCESS_DENIED \
4--response-templates 'text/html=\$context.authorizer.pxResponseBody,application/json=\$context.authorizer.pxResponseBody'
  1. Enable CORS for the relevant resources in the API Gateway. Check the box to enable CORS for the Access Denied authorizer response as well.
Enabling Auto-ABR

If your front-end JavaScript makes XHR calls to the API Gateway and you would like to use the Auto-ABR functionality, be sure to add the API Gateway domain to the custom ABR domains variable in the front-end JavaScript snippet. See here for more information.

Configure First Party Resources in API Gateway

  1. Unless the first party feature is disabled, first party resources must be configured in the API Gateway. The resource type should be HTTP_PROXY, as they should proxy to HUMAN Security servers. Add the following three main resources:
    • sensor script
    • captcha script
    • xhr requests
pathdestinationmethod
/APP_ID_SUFFIX/init.jshttps://client.perimeterx.net/`APP_ID`/main.min.jsGET
/APP_ID_SUFFIX/captcha/{proxy+}https://captcha.px-cdn.net/`APP_ID`/`{proxy}`GET
/APP_ID_SUFFIX/xhr/{proxy+}https://collector-`APP_ID`.perimeterx.net/`{proxy}`ANY
  • APP_ID - the application ID provided by HUMAN Security (e.g., PX1234).
  • APP_ID_SUFFIX - your application ID without the PX prefix (e.g., 1234).

Custom First Party Endpoints

If any custom first party endpoints are configured in the Lambda code, these endpoints should be added to the above resources in the API Gateway as well.

  1. If needed, enable CORS for the API Gateway first party resources as well.
  2. Deploy and stage the API Gateway.