Is it alright to store user authentication token as a global variable (process.env) in a nodejs lambda function?

Question

We have a BFF built with AWS Lambda (nodejs) and API Gateway that interfaces with an API that requires user authentication. And the way we've built it is we have a separate module/file for the API services. Something like this:

src
--handlers
  --users.js // with function getMe()
--apiServices
  --usersApi.js // with function getUser(id)

So what happens is the getMe() function will receive the event with the request headers with the authentication token. But we need to use the auth token in getUser(id). I've thought of two options to do this:

1. update getUser(id) to accept an authToken param.
2. store the auth token in the global variable

I'm preferring to do #2 because it requires less changes but I'm worried that this might not be a good idea because there's no way of knowing for sure when a lambda container will be reused (or if will be reused at all): https://aws.amazon.com/blogs/compute/container-reuse-in-lambda

Has someone tried the 2nd approach before? Or should I just go with #1? The thing with #1 is that we have a lot of files under apiServices with a lot of functions so I would like to apply as little change as possible.

Answer 1

You can do it both ways, but be careful and double check switching context between users because lambda persists for a short period of time and can be hit multiple times.