500 error when caching AWS Lambda Authenticator response

Question

I'm using serverless stack, now attempting to add a Lambda Custom Authenticator to validate authorization tokens with Auth0 and add custom data to my request context when the authentication passes.

Everything works mostly fine at this point, except for when I cache the Authenticator response for the same token.

I'm using a 5-second cache for development. The first request with a valid token goes through as it should. The next requests in the 5-second window fail with a mysterious 500 error without ever reaching my code.

Authorizer configuration

// MyStack.ts

const authorizer = new sst.Function(this, "AuthorizerFunction", {
    handler: "src/services/Auth/handler.handler",
});

const api = new sst.Api(this, "MarketplaceApi", {
  defaultAuthorizationType: sst.ApiAuthorizationType.CUSTOM,
  defaultAuthorizer: new HttpLambdaAuthorizer("Authorizer", authorizer, {
    authorizerName: "LambdaAuthorizer",
    resultsCacheTtl: Duration.seconds(5), // <-- this is the cache config
  }),
  routes: {
    "ANY /{proxy+}": "APIGateway.handler",
  },
});

Authorizer handler

const handler = async (event: APIGatewayAuthorizerEvent): Promise<APIGatewayAuthorizerResult> => {
  // Authenticates with Auth0 and serializes context data I wanna
  // forward to the underlying service
  const authentication = await authenticate(event);
  const context = packAuthorizerContext(authentication.value);

  const result: APIGatewayAuthorizerResult = {
    principalId: authentication.value?.id || "unknown",
    policyDocument: buildPolicy(authentication.isSuccess ? "Allow" : "Deny", event.methodArn),
    context, // context has the following shape:
    // {
    //   info: {
    //     id: string,
    //     marketplaceId: string,
    //     roles: string,
    //     permissions: string
    //   }
    // }
  };

  return result;
};

CloudWatch logs

☝️ Every uncached request succeeds, with status code 200, an integration ID and everything, as it's supposed to. Every other request during the 5-second cache fails with 500 error code and no integration ID, meaning it doesn't reach my code.

---

Any tips?

Update

I just found this in an api-gateway.d.ts @types file (attention to the comments, please):

// Poorly documented, but API Gateway will just fail internally if
// the context type does not match this.
// Note that although non-string types will be accepted, they will be
// coerced to strings on the other side.
export interface APIGatewayAuthorizerResultContext {
    [name: string]: string | number | boolean | null | undefined;
}

And I did have this problem before I could get the Authorizer to work in the first place. I had my roles and permissions properties as string arrays, and I had to transform them to plain strings. Then it worked.

Lo and behold, I just ran a test right now, removing the context information I was returning for successfully validated tokens and now the cache is working 😔 every request succeeds, but I do need my context information...

Maybe there's a max length for the context object? Please let me know of any restrictions on the context object. As the @types file states, that thing is poorly documented. This is the docs I know about.

Answer 1

The issue is that none of the context object values may contain "special" characters.

Your context object must be something like:

"context": {
  "someString": "value",
  "someNumber": 1,
  "someBool": true
},

You cannot set a JSON object or array as a valid value of any key in the context map. The only valid value types are string, number and boolean.

In my case, though, I needed to send a string array.

I tried to get around the type restriction by JSON-serializing the array, which produced "[\"valueA\",\"valueB\"]" and, for some reason, AWS didn't like it.

TL;DR

What solved my problem was using myArray.join(",") instead of JSON.stringify(myArray)