Change response "not a valid key=value pair (missing equal-sign) in Authorization header" in AWS ApiGateway

Question

I've read other similar posts with exact same error message, however my question is different.

I have an AWS ApiGateway in https://XXXXXXXX.execute-api.us-east-1.amazonaws.com/xxxx/users (from now I will call it as /users ).

I have implemented my ApiGateway to Lambda scripts with Cognito authorization, they work without problems, for example:

• /users/me -> returns data of current logged user

The problem is when I call an unexistent route in ApiGateway, for example:

• /users/mine123 -> it returns

{ "message": "'my-cognito-user-id-token' not a valid key=value pair (missing equal-sign) in Authorization header: 'Bearer my-cognito-user-id-token'." }

My question is... Is there a way to return a NotFound or BadRequest error when route in ApiGateway doesn't exist?

I think is possible implementing resource ANY, but, is there a "clean" way to do it without resource ANY?

---

Edit 1:

I tried Api Gateway response as well. I set a custom response, an status error code 404 for Resource Not Found but Api Gateway still returns 403 Forbidden.

Edit 2

I already have 4XX responses configured too:

And API Gateway always returns 403 error with this message (as expected for a generic 4XX error), however I think it doesn't make sense because is not a real Forbidden error it's a NotFound or BadRequest error.

For example,

• A request to nonexistent route in Github API https://api.github.com/ROUTE_THAT_DOESNT_EXIST returns 404 NotFound.
• A request to nonexistent route in StackExchange API https://api.stackexchange.com/ROUTE_THAT_DOESNT_EXIST returns 400 BadRequest.

None of them return 403 Forbidden.

Answer 1

Error message { "message": "token not a valid key=value pair Authorization header: 'Bearer token'. is thrown when "Resource path doesn't exist" with status 403 with a response header "x-amzn-ErrorType" = "IncompleteSignatureException"

A request with an "Authorization" header is sent to an API resource path that doesn't exist.

We can customize response body in 'Gateway Response' section. There doesn't seem to specific Gateway Response like Unauthorized, Invalid Signature, etc for this scenario, Hence we need to configure Default 4XX

We can update status code and Response Templates. Unlike Integration Response on a successful request process, error gateway response template doesn't support full VTL template but only supports simple place holders.

Example configuration for application/json

{"message":"Invalid Resource","type": "$context.error.responseType","stage": "$context.stage"}

Will return

{
    "message": "Invalid Resource",
    "type": "DEFAULT_4XX",
    "stage": "qa"
}

Answer 2

Not sure whether it is a cleaner way than your suggestion, however you can configure specific gateway response for the missing authentication token - https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-gateway-response-using-the-console.html

In the Gateway Responses pane, choose a response type. In this walkthrough, we use Missing Authentication Token (403) as an example.

You can change the API Gateway-generated Status Code to return a different status code that meets your API's requirements. In this example, the customization changes the status code from the default (403) to 404 because this error message occurs when a client calls an unsupported or invalid resource that can be thought of as not found.