Installation

The AWS API Gateway Lambda Enforcer works using API Gateway’s Lambda authorizer. The enforcer is provided as a Node.js NPM package that can be integrated into an existing Lambda authorizer or used to create a brand new Lambda authorizer.

Prerequisites

An AWS REST API Gateway
Node.js and NPM

Installation

Installing the enforcer consists of three main steps:

Building and deploying the authorizer to AWS Lambda.
Connecting the Lambda authorizer to API Gateway.
Configuring first party resources in API Gateway.

Building and Deploying the Authorizer

Install the enforcer package in your Node.js authorizer project.

1 npm install @humansecurity/aws-api-gateway-lambda-authorizer-enforcer

Integrate the enforcer into your authorizer code. The following index.ts file can be used as a basis.

1 // index.ts
2 import { Enforcer, Config, Res } from "@humansecurity/aws-api-gateway-lambda-authorizer-enforcer";
3 
4 const pxConfig = {
5   px_app_id: "<APP_ID>",
6   px_cookie_secret: "<COOKIE_SECRET>",
7   px_auth_token: "<AUTH_TOKEN>",
8   px_custom_first_party_prefix: "/<STAGE_NAME>/<APP_ID_SUFFIX>/"
9   // ... other configuration options
10 };
11 
12 // initialize config outside the handler
13 const config = new Config(pxConfig);
14 
15 // define an authorizer handler
16 export const handler = async (req: APIGatewayRequestAuthorizerEvent): Promise<Res> => {
17   // create a new enforcer
18   const enforcer = new Enforcer(config);
19   // call enforce and await the response
20   // as early as possible in the Lambda flow
21   let response = await enforcer.enforce(req);
22 
23   // if a response exists, return it immediately
24   // as no further processing is required
25   if (response) {
26     return response;
27   }
28 
29   // include your custom authorization logic
30   response = {
31     principalId: "*",
32     policyDocument: {
33       Version: "2012-10-17",
34       Statement: [
35         {
36           Action: "execute-api:Invoke",
37           Effect: "Allow",
38           Resource: req.methodArn
39         }
40       ]
41     },
42     context: {}
43   };
44 
45   // after creating your response, call postEnforce
46   await enforcer.postEnforce(req, response);
47   // return the response from the handler
48   return response;
49 };

Package and deploy the Lambda code. (Here, we use esbuild to compile the TypeScript file to ./dist/index.js, which can be deployed to the Lambda.)

1 esbuild ./index.ts --bundle --minify --sourcemap --platform=node --target=es2020 --outfile=dist/index.js

Connecting the Lambda Authorizer to API Gateway

Create a Lambda authorizer in your API gateway with the following features:
- Type: REQUEST
- Cache: no cache

1 aws apigateway create-authorizer \
2 --rest-api-id <rest api id> \
3 --name <name> \
4 --type REQUEST \
5 --authorizer-uri <uri to lambda> \
6 --authorizer-credentials <IAM Role arn> \
7 --authorizer-result-ttl-in-seconds 0

Configure custom response page so that the enforcer can return the captcha pages properly. If the enforcer decides to block it returns “Deny” response and sets the authorizer context.pxResponseBody with the block page (HTML or JSON). Therefore, you should change the API Gateway response to display this response body instead of the default.

1 aws apigateway put-gateway-response \
2 --rest-api-id <rest api id> \
3 --response-type ACCESS_DENIED \
4 --response-templates 'text/html=\$context.authorizer.pxResponseBody,application/json=\$context.authorizer.pxResponseBody'

Enable CORS for the relevant resources in the API Gateway. Check the box to enable CORS for the Access Denied authorizer response as well.

Enabling Auto-ABR

If your front-end JavaScript makes XHR calls to the API Gateway and you would like to use the Auto-ABR functionality, be sure to add the API Gateway domain to the custom ABR domains variable in the front-end JavaScript snippet. See here for more information.

Configure First Party Resources in API Gateway

Unless the first party feature is disabled, first party resources must be configured in the API Gateway. The resource type should be HTTP_PROXY, as they should proxy to HUMAN Security servers. Add the following three main resources:
- sensor script
- captcha script
- xhr requests

path	destination	method
/`APP_ID_SUFFIX`/init.js	https://client.perimeterx.net/`APP_ID`/main.min.js	GET
/`APP_ID_SUFFIX`/captcha/`{proxy+}`	https://captcha.px-cdn.net/`APP_ID`/`{proxy}`	GET
/`APP_ID_SUFFIX`/xhr/`{proxy+}`	https://collector-`APP_ID`.perimeterx.net/`{proxy}`	ANY

APP_ID - the application ID provided by HUMAN Security (e.g., PX1234).
APP_ID_SUFFIX - your application ID without the PX prefix (e.g., 1234).

Custom First Party Endpoints

If any custom first party endpoints are configured in the Lambda code, these endpoints should be added to the above resources in the API Gateway as well.

If needed, enable CORS for the API Gateway first party resources as well.
Deploy and stage the API Gateway.

Prerequisites

An AWS REST API Gateway
Node.js and NPM

Installation

Installing the enforcer consists of three main steps:

Building and deploying the authorizer to AWS Lambda.
Connecting the Lambda authorizer to API Gateway.
Configuring first party resources in API Gateway.

Building and Deploying the Authorizer

Install the enforcer package in your Node.js authorizer project.

1 npm install @humansecurity/aws-api-gateway-lambda-authorizer-enforcer

Integrate the enforcer into your authorizer code. The following index.ts file can be used as a basis.

1 // index.ts
2 import { Enforcer, Config, Res } from "@humansecurity/aws-api-gateway-lambda-authorizer-enforcer";
3 
4 const pxConfig = {
5   px_app_id: "<APP_ID>",
6   px_cookie_secret: "<COOKIE_SECRET>",
7   px_auth_token: "<AUTH_TOKEN>",
8   px_custom_first_party_prefix: "/<STAGE_NAME>/<APP_ID_SUFFIX>/"
9   // ... other configuration options
10 };
11 
12 // initialize config outside the handler
13 const config = new Config(pxConfig);
14 
15 // define an authorizer handler
16 export const handler = async (req: APIGatewayRequestAuthorizerEvent): Promise<Res> => {
17   // create a new enforcer
18   const enforcer = new Enforcer(config);
19   // call enforce and await the response
20   // as early as possible in the Lambda flow
21   let response = await enforcer.enforce(req);
22 
23   // if a response exists, return it immediately
24   // as no further processing is required
25   if (response) {
26     return response;
27   }
28 
29   // include your custom authorization logic
30   response = {
31     principalId: "*",
32     policyDocument: {
33       Version: "2012-10-17",
34       Statement: [
35         {
36           Action: "execute-api:Invoke",
37           Effect: "Allow",
38           Resource: req.methodArn
39         }
40       ]
41     },
42     context: {}
43   };
44 
45   // after creating your response, call postEnforce
46   await enforcer.postEnforce(req, response);
47   // return the response from the handler
48   return response;
49 };

Package and deploy the Lambda code. (Here, we use esbuild to compile the TypeScript file to ./dist/index.js, which can be deployed to the Lambda.)

1 esbuild ./index.ts --bundle --minify --sourcemap --platform=node --target=es2020 --outfile=dist/index.js

Connecting the Lambda Authorizer to API Gateway

Create a Lambda authorizer in your API gateway with the following features:
- Type: REQUEST
- Cache: no cache

1 aws apigateway create-authorizer \
2 --rest-api-id <rest api id> \
3 --name <name> \
4 --type REQUEST \
5 --authorizer-uri <uri to lambda> \
6 --authorizer-credentials <IAM Role arn> \
7 --authorizer-result-ttl-in-seconds 0

Configure custom response page so that the enforcer can return the captcha pages properly. If the enforcer decides to block it returns “Deny” response and sets the authorizer context.pxResponseBody with the block page (HTML or JSON). Therefore, you should change the API Gateway response to display this response body instead of the default.

1 aws apigateway put-gateway-response \
2 --rest-api-id <rest api id> \
3 --response-type ACCESS_DENIED \
4 --response-templates 'text/html=\$context.authorizer.pxResponseBody,application/json=\$context.authorizer.pxResponseBody'

Enable CORS for the relevant resources in the API Gateway. Check the box to enable CORS for the Access Denied authorizer response as well.

Enabling Auto-ABR

Configure First Party Resources in API Gateway

Unless the first party feature is disabled, first party resources must be configured in the API Gateway. The resource type should be HTTP_PROXY, as they should proxy to HUMAN Security servers. Add the following three main resources:
- sensor script
- captcha script
- xhr requests

path	destination	method
/`APP_ID_SUFFIX`/init.js	https://client.perimeterx.net/`APP_ID`/main.min.js	GET
/`APP_ID_SUFFIX`/captcha/`{proxy+}`	https://captcha.px-cdn.net/`APP_ID`/`{proxy}`	GET
/`APP_ID_SUFFIX`/xhr/`{proxy+}`	https://collector-`APP_ID`.perimeterx.net/`{proxy}`	ANY

APP_ID - the application ID provided by HUMAN Security (e.g., PX1234).
APP_ID_SUFFIX - your application ID without the PX prefix (e.g., 1234).

Custom First Party Endpoints

If any custom first party endpoints are configured in the Lambda code, these endpoints should be added to the above resources in the API Gateway as well.

If needed, enable CORS for the API Gateway first party resources as well.
Deploy and stage the API Gateway.

1	// index.ts
2	import { Enforcer, Config, Res } from "@humansecurity/aws-api-gateway-lambda-authorizer-enforcer";
3
4	const pxConfig = {
5	px_app_id: "<APP_ID>",
6	px_cookie_secret: "<COOKIE_SECRET>",
7	px_auth_token: "<AUTH_TOKEN>",
8	px_custom_first_party_prefix: "/<STAGE_NAME>/<APP_ID_SUFFIX>/"
9	// ... other configuration options
10	};
11
12	// initialize config outside the handler
13	const config = new Config(pxConfig);
14
15	// define an authorizer handler
16	export const handler = async (req: APIGatewayRequestAuthorizerEvent): Promise<Res> => {
17	// create a new enforcer
18	const enforcer = new Enforcer(config);
19	// call enforce and await the response
20	// as early as possible in the Lambda flow
21	let response = await enforcer.enforce(req);
22
23	// if a response exists, return it immediately
24	// as no further processing is required
25	if (response) {
26	return response;
27	}
28
29	// include your custom authorization logic
30	response = {
31	principalId: "*",
32	policyDocument: {
33	Version: "2012-10-17",
34	Statement: [
35	{
36	Action: "execute-api:Invoke",
37	Effect: "Allow",
38	Resource: req.methodArn
39	}
40	]
41	},
42	context: {}
43	};
44
45	// after creating your response, call postEnforce
46	await enforcer.postEnforce(req, response);
47	// return the response from the handler
48	return response;
49	};

1	aws apigateway create-authorizer \
2	--rest-api-id <rest api id> \
3	--name <name> \
4	--type REQUEST \
5	--authorizer-uri <uri to lambda> \
6	--authorizer-credentials <IAM Role arn> \
7	--authorizer-result-ttl-in-seconds 0

1	aws apigateway put-gateway-response \
2	--rest-api-id <rest api id> \
3	--response-type ACCESS_DENIED \
4	--response-templates 'text/html=\$context.authorizer.pxResponseBody,application/json=\$context.authorizer.pxResponseBody'