Why root returns 403 error in API Gateway

Question

I have a very simple lambda function that facilitates short URL redirection. Like so...

var env = process.env.NODE_ENV

exports.handler = async function (event) {
  var mappings = {
    "": "https://example.com",
    "/": "https://example.com",
    "/article1": "https://example.com/articles/article-title",
    "/podcasts": "https://example.com/podcasts"
  }
  return {
    body: null,
    headers: {
      "Location": mappings[event.path] || "https://example.com/four-oh-four"
    },
    isBase64Encoded: false,
    statusCode: 301
  }
}

The URL redirects just fine for all routes except the homepage (with or without a slash). Instead of the homepage, I get a "Missing Authentication Token" error from API Gateway (or Cloudfront rather).

Curling doesn't appear to reveal anything... (Updated the curl code, my bad I left the redirect).

$ curl -v https://short.url/
*   Trying xxx.xx.xxx.xx...
* TCP_NODELAY set
* Connected to short.url (xxx.xx.xxx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /path/to/ca-certificates.crt
  CApath: /path/to/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / xxxxxxxxxxxx-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.ib.run
*  start date: Apr  5 00:00:00 2019 GMT
*  expire date: May  5 12:00:00 2020 GMT
*  subjectAltName: host "short.url" matched cert's "short.url"
*  issuer: xxx; O=xxx; OU=xxx; CN=xxx
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle xxxxxxxx)
> GET / HTTP/2
> Host: short.url
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 403 
< content-type: application/json
< content-length: 42
< date: Sat, 20 Jul 2019 03:51:44 GMT
< x-amzn-requestid: xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
< x-amzn-errortype: MissingAuthenticationTokenException
< x-amz-apigw-id: xxxxxxxxxxxxxx_
< x-cache: Error from cloudfront
< via: 1.1 xxxxxxxxxxxxxxxxxxxxxx.cloudfront.net (CloudFront)
< x-amz-cf-pop: xxxxx-xx
< x-amz-cf-id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx===
< 
* Connection #0 to host short.url left intact
{"message":"Missing Authentication Token"}

DominikHelps · Accepted Answer

The response "Missing Authentication Token" is misleading. It suggests that you need to provide an Token. The real error is, that your routes in Api gateway are not setup properly. So it is basically an Route not found from api-gateway.

You need to provide a Route for "/" with a method or the any method and redirect it to the Lambda function. You probably setup an subroute but no route for "/"

At the moment the curl is hitting the url "/" with the method GET and Api-Gateway does not know how to route this call so it answers with: "Missing Authentication Token".

You can reproduce this behavior with every non existent route. Try: /sdfsdfsdf for example. You will get the same error.

Setup the route and you shoud be fine.

I hope I could help you!

Dominik

Why root returns 403 error in API Gateway

Answers (1)

Related Questions