fix(lambda-events): Deprecate authorizer-specific fields in ApiGatewayV2httpRequest

[dap0am]

Description

This PR addresses issue #1080 by deprecating fields in ApiGatewayV2httpRequest that are only present in Custom Authorizer v1 payloads but not in standard HTTP API v2 requests.

Changes

Deprecates the following fields in ApiGatewayV2httpRequest:

• kind (type)
• method_arn
• http_method
• identity_source
• authorization_token

Problem

The http_method field incorrectly defaults to GET when missing from the JSON payload. This is problematic because:

• Standard HTTP API v2 requests do not include a top-level httpMethod field
• The actual HTTP method is located in requestContext.http.method
• Defaulting to GET can cause POST/PUT/DELETE requests to be incorrectly treated as GET requests
• This can lead to security vulnerabilities where unsafe methods bypass validation logic

Solution

1. Deprecation: Added #[deprecated] attributes to all authorizer-specific fields with clear guidance
2. Documentation: Added comprehensive struct-level and field-level documentation explaining:
   • For standard HTTP API v2 requests, use request_context.http.method
   • For Custom Authorizer v1 payloads, use ApiGatewayV2CustomAuthorizerV1Request
3. Testing: Added a new test apigw_v2_correct_http_method_usage() demonstrating the correct usage pattern

Backward Compatibility

All deprecated fields remain functional and existing code will continue to work. Users will receive deprecation warnings guiding them to the correct approach.

Semver Check Status

⚠️ The semver check failure is expected and correct. Marking public fields as deprecated requires a minor version bump (1.0.3 → 1.1.0) according to semantic versioning rules, which will be handled by maintainers during the release process.

Testing

• ✅ All 27 existing API Gateway tests pass
• ✅ New test added to demonstrate correct HTTP method access
• ✅ Code formatted with rustfmt
• ✅ Deprecation warnings work as expected

Fixes #1080

[dap0am]

Semver Check Failure - Expected Behavior

The semver check is failing as expected because this PR marks several public fields as #[deprecated], which requires a minor version bump according to semantic versioning rules.

What the semver checker found:

• Marking public struct fields as deprecated changes the user experience (compiler warnings)
• This requires bumping from 1.0.3 → 1.1.0 (minor version bump)

Resolution:

This is expected and correct behavior. The version bump will be handled by the maintainers during the release process. The deprecations are necessary to guide users away from fields that can cause security issues (as described in #1080).

Why this change is important:

The deprecated http_method field defaults to GET when missing, which can cause POST/PUT/DELETE requests to be incorrectly treated as GET requests, potentially leading to security vulnerabilities. The deprecation warnings will guide users to use the correct request_context.http.method field instead.

[FullyTyped]

We will be bumping to 1.1.0 soon, so we are good to merge without.

I think the version is wrong though, this should be 1.0.2 or whatever we currently have.

[dap0am]

Thanks for the quick review!

I've updated the deprecation version, but I want to confirm the correct value for the since parameter:

• Current version in Cargo.toml: 1.0.3
• You mentioned bumping to: 1.1.0

Should the since value be:

1. 1.0.3 (current version)
2. 1.1.0 (the version where this deprecation will be released)

I currently have it set to 1.1.0 since that's when users will first see the deprecation warnings. Please let me know if this should be different!

[FullyTyped]

Sorry yeah, 1.1.0 is appropriate.

We will be bumping that as we are adding the builders.

[dap0am]

Sorry yeah, 1.1.0 is appropriate.

We will be bumping that as we are adding the builders.

Thanks, I will commit the changes now.

[dap0am]

✅ Updated! All deprecation attributes now use since = "1.1.0" as confirmed. The changes have been pushed.