8

I've configured API gateway via lambda function deployed with serverless framework. I've defined some queryStringParameters to be true in the yaml file. But the request is passing through the service even when the Required(mandatory) queryStringParams are not passed in URL. PFB the similar config.

functions: functionName: name: serviceName handler: handler.handle events: - http: path: /path method: get request: parameters: querystrings: param1: true param2: true

Seems serverless is not validating whether param1 and param2 are passed as queryString. Should we have an explicit Request validator?. Is it possible to do so with Serverless?

Abirami
  • 223
  • 6
  • 21
  • 4
    Possible duplicate of [Request validation using serverless framework](https://stackoverflow.com/questions/49133294/request-validation-using-serverless-framework) – Trent Bartlem Mar 07 '18 at 23:33

2 Answers2

1

Came here looking for a simple, straightforward answer and didn't want to add plugins as suggested in "Request validation using serverless framework".

If you set parameters as required and want to validate them, you must add a request validator to your serverless.yml

Resources:
  ParameterRequestValidator:
    Type: AWS::ApiGateway::RequestValidator
    Properties:
      Name: ParameterRequestValidator
      RestApiId:
        Ref: ApiGatewayRestApi
      ValidateRequestBody: false
      ValidateRequestParameters: true

  ApiGatewayMethodNameOfYourApiLookItUpInYourTemplate:
    Properties:
      RequestValidatorId:
        Ref: ParameterRequestValidator

The method you want to validate will be named something like ApiGateway<Method><Get | Post | Patch | Put | Delete >:. You can look the name up when you package your serverless functions in the created template files.

Courtesy for this solutions goes to https://github.com/serverless/serverless/issues/5034#issuecomment-581832806

st.huber
  • 1,481
  • 2
  • 24
  • 45
  • can you please explain this more in depth, i still don't get this for the ApiGateway stuff. – omega_prime Nov 01 '20 at 12:48
  • it means if you have an http event with name "ReadResource" and http method "GET" then serverless will create a resource similar to _ApiGatewayReadResourceGet_. Add a resource with this name to your serverless.yml to overwrite the serverless created resource and add a request validator to it, as shown in the answer. @omega_prime does that make it clearer? – st.huber Nov 02 '20 at 09:56
  • it does make sense but still doesn't work. Odd. The CloudFormation template is invalid: Template format error: [/Resources/ApiGatewayMethodListGet] Every Resources object must contain a Type member. – omega_prime Nov 02 '20 at 17:31
  • To help you better, I would have to see the code. I can only say that the above worked for me and requests are validated against the `ParameterRequestValidator` – st.huber Nov 04 '20 at 15:04
  • My set up is a near carbon copy of this: https://github.com/AnomalyInnovations/serverless-stack-demo-ext-api – omega_prime Nov 04 '20 at 23:50
  • don't suppose you happened to have a look? – omega_prime Nov 14 '20 at 23:14
  • 1
    @omega_prime the example you posted is not ideal as it does not have any API with parameters. For the sake of example, if you want to add request parameter validation to the _billing-api_ your `ApiGatewayMethodNameOfYourApiLookItUpInYourTemplate` would be named `ApiGatewayMethodBillingPost`. Please see the gist for the update serverless.yml and the resulting CloudFormation template with working request parameter validation: https://gist.github.com/sthuber90/89fa48d2a3d6df0f875583821f3df6c8 If you find my answer useful, please consider upvoting it to help others in finding it easier – st.huber Nov 15 '20 at 17:35
  • Ok, I understand now as I looked at the json code that you showed. The reason mine didn't work like yours is I was basing on serverless function name rather than the resources name. I shall reply to this post to help someone else. – omega_prime Nov 21 '20 at 13:39
0

For those of you failing to see this, like I also did.

This is what you need to do in plain english.

Turn

ApiGatewayMethodNameOfYourApiLookItUpInYourTemplate

to

APIGatewayMethod<1><2>

API Gateway

In my case, it was APIGatewayDealsGet

The thing I was looking at was my handler name in serverless

   list:
    # Defines an HTTP API endpoint that calls the main function in list.js
    # - path: url path is /deals
    # - method: GET request
    handler: list.main
    events:
      - http:
          path: deals
          method: get
          cors: true
          authorizer: aws_iam
          request:
            parameters:
              querystrings:
                country: true
                type: true

Alternatively, if this does not work, check the s3 bucket, mine was called xxxxxxx-ap-serverlessdeploymentbuck-1epdp60eqveqr and go to serverless > yyyyyyyyyyy > aaaa > timestamp > compiled-cloudformation-template.json

And look for the name of your method in there, example mine was:

    "ApiGatewayMethodDealsGet": {
        "Type": "AWS::ApiGateway::Method",
        "Properties": {
            "HttpMethod": "GET",
            "RequestParameters": {
omega_prime
  • 65
  • 3
  • 17