1

How do I maintain session state in an AWS Lambda? For example, if I need to query DynamoDb for subscription information for a logged-in user, how do I do that from the Lambda function if the user is using an AngularJS web app?

I have the user logging in with Auth0 and a custom authorizer that verifies the user on AWS. But then I want to use the logged-in user's CognitoID to query the DynamoDB.

According to AWS documentation for Lambda (node.js) (https://docs.aws.amazon.com/lambda/latest/dg/nodejs-prog-model-context.html) you only have the Information about the Amazon Cognito identity provider when invoked through the AWS Mobile SDK.

identity.cognitoIdentityId

identity.cognitoIdentityPoolId

But what if I use a web app that uses AngularJS and Auth0?

Ok, maybe the simplest solution to store user info in the DynamoDB is just to extract the JWT on the client side, in AngularJS, and send the extracted Auth0 user_id —such as facebook|12345— along in the API request to the Lambda, which queries if the user exist in DynamoDB and if not creates a new record.

Then in each request to the API that has to query user info I send the user_id and in the Lambda I query the db with that id. It should be safe as I verify the users token in the Custom Authorizer and deny or allow the request before it hits the Lambda.

Mig82
  • 4,856
  • 4
  • 40
  • 63
Molnfront
  • 450
  • 6
  • 9
  • This is an old question but I strongly feel I need to point out a big DON'T DO THAT here so that no one else gets any ideas. While it is OK for the front-end to extract data from the JWT token, the back-end must NOT rely on any information extracted from the token. What prevents an attacker from sending "facebook|09876" and spoof someone else's identity? The back-end must only rely on information it ITSELF extracted from the token, after signature verification that is. As Ashan wrote below, have the custom authorizer extract and pass that info on to the back-end. – Christoph Nov 24 '22 at 13:03

2 Answers2

6

First of all Lambda is used as a stateless compute service. Therefore keeping session state in Lambda is not practical.

Based on your scenario, you can send a request to API Gateway with the jwt token, where you can plugin a special Lambda function call Custom Authorizer, where you do the validation of the token and extract user id, which is then forwarded to the Business Logic Lambda function connected to the API Gateway endpoint. As you mentioned at Custom Authorizer you can query the user database and return more info to the Business Logic Lambda.

If the token is not valid or expired you can return an error from Custom Authorizer Lambda function so the API Gateway sends back an error response without hitting the endpoint Lambda.

In addition you can also cache the output of Custom Authorizer Lambda so that it will be cached for a given TTL for improved performance and reduced costs.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • This is what I'm looking for! Would you mind helping me out on my question here? :) https://stackoverflow.com/questions/61745536/only-add-header-on-proxied-api-gateway-request-with-lambda-authorizer – nicoes May 13 '20 at 06:59
0

I've done it this way, although I realize there may be better solutions:

Maintain DynamoDB tables for Users and Sessions. When a user logs in with Cognito, create a new item in Sessions table with UUID, username, and a last accessed timestamp. For all subsequent invocations of logged in users, look for the username in the Session table, and update the last access time. You can then store any session values in the Sessions table, or separate tables that also have the session id.

If a user logs out with Cognito, then delete (or mark ended) the Session item and all of its data. If you ever see a lastAccessed time that is more than an hour (or whatever keep alive time you want), then delete (or mark ended) that Session item and all of its data.

Tom Hubbard
  • 121
  • 2
  • 6