JustAuthenticateMe logo

code style: prettier types: typescript

JustAuthenticateMe Serverless Framework Plugin

Introduction

JustAuthenticateMe offers simple magic link based authentication as a service for web apps. This is a serverless plugin that automatically authenticates your serverless endpoints using JustAuthenticateMe. It uses the JustAuthenticateMe API Gateway Custom Authorizer to verify incoming requests and pass the user's email on to your endpoint handler.

Supported Platforms

Currently, this plugin only supports AWS lambdas behind an API Gateway.

Getting Started

Installing via npm or yarn

justauthenticateme-apigateway-auth is a peer dependency so you'll have install it as well.

npm install --save serverless-justauthenticateme-plugin justauthenticateme-apigateway-auth
yarn add serverless-justauthenticateme-plugin justauthenticateme-apigateway-auth

Adding to your serverless.yml

Step 1: Add the plugin

plugins:
- serverless-justauthenticateme-plugin

Step 2: Configure the plugin

You'll need your App ID from the JustAuthenticateMe console.

Static App ID
custom:
justauthenticateme:
appId: 01234567-89ab-cdef-0123-4567890abcde
App ID per Stage
custom:
justauthenticateme:
appId:
production: 01234567-89ab-cdef-0123-4567890abcde
staging: 456789ab-cdef-0123-4567-89abcdef0123
dev: 890abcde-f012-3456-789a-bcdef1234567

Step 3: Specify Authenticated Endpoints

For each endpoint that should only be accessible by authenticated users, specify the authorizer as the keyword justauthenticateme like so:

functions:
getBooks:
handler: src/getBooks.handler
events:
- http:
path: "api/books"
method: get
authorizer: justauthenticateme
request:
parameters:
headers:
Authorization: true

Using the Authorizer

Sending requests

When sending requests to endpoints that are protected by this authorizer, include the ID token you get from JustAuthenticateMe in the Authorization header after the keyword Bearer. It should look something like this:

Authorization: Bearer eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjJlYjQwMTA0LWRjNDUtNGYzNy1iNjljLTkzN2I2Mzg2YjlmNiJ9.eyJlbWFpbCI6InN1cHBvcnRAanVzdGF1dGhlbnRpY2F0ZS5tZSIsInN1YiI6InN1cHBvcnRAanVzdGF1dGhlbnRpY2F0ZS5tZSIsImF1ZCI6ImIxOWEyMWI0LWFkOWQtNGZkNy04OGMxLTFiNjhiODI1YzY3MSIsImlzcyI6Imh0dHBzOi8vZGV2LWFwaS5qdXN0YXV0aGVudGljYXRlLm1lL2IxOWEyMWI0LWFkOWQtNGZkNy04OGMxLTFiNjhiODI1YzY3MSIsImp0aSI6IjZhMjJjOTEyLWYwMzYtNGU0Mi1iZjM5LTQ3N2ZhM2ExOGY2ZCIsInRva2VuX3VzZSI6ImlkIiwiaWF0IjoxNTgzNjk1NDM5LCJuYmYiOjE1ODM2OTU0MzksImV4cCI6MTU4MzY5NzIzOX0.AZqvVWSXn4zwP4WhYOL-nQEDDEMa4Cmpyx8HGJ-6uc3wLeZVfvil6RyAlUExnd6JpteaAImOrKo5fnv93SSGkP-eAN9igGRg0GmXpIeGno_sY_4rMLXDa6RtABL1lz5LCYMxD79oIYIflWJ-LVqmCF90msq-PysFZcgKVLa8oki8ZlKI

Handling requests

When a request is authenticated successfully, this lambda returns a policy allowing the user access to any resource protected by this authorizer. It also passes along the email address of the authenticated user to the handler of the API endpoint.

Specifically, a lambda handling an endpoint protected by this authorizer can access the user's email at event.requestContext.authorizer.email.

License

MIT