Merge pull request #207 from horike37/feature/Oauth_scope

feat: add support for AuthorizationScopes

Author: horike37

README.md

@@ -497,6 +497,10 @@ stepFunctions:
               type: COGNITO_USER_POOLS # TOKEN, CUSTOM or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
               authorizerId:
                 Ref: ApiGatewayAuthorizer  # or hard-code Authorizer ID
+              # [Optional] you can also specify the OAuth scopes for Cognito
+              scopes:
+                - scope1
+                ...
 ```
 
 #### LAMBDA_PROXY request template

lib/deploy/events/apiGateway/methods.js

@@ -328,6 +328,7 @@ module.exports = {
           Properties: {
             AuthorizationType: http.authorizer.type,
             AuthorizerId: http.authorizer.authorizerId,
+            AuthorizationScopes: http.authorizer.scopes,
           },
         };
       }
@@ -336,10 +337,12 @@ module.exports = {
         .getAuthorizerLogicalId(http.authorizer.name || http.authorizer);
 
       let authorizationType;
+      let authorizationScopes;
       const authorizerArn = http.authorizer.arn;
       if (typeof authorizerArn === 'string'
         && awsArnRegExs.cognitoIdpArnExpr.test(authorizerArn)) {
         authorizationType = 'COGNITO_USER_POOLS';
+        authorizationScopes = http.authorizer.scopes;
       } else {
         authorizationType = 'CUSTOM';
       }
@@ -348,6 +351,7 @@ module.exports = {
         Properties: {
           AuthorizationType: authorizationType,
           AuthorizerId: { Ref: authorizerLogicalId },
+          AuthorizationScopes: authorizationScopes,
         },
         DependsOn: authorizerLogicalId,
       };

lib/deploy/events/apiGateway/methods.test.js

@@ -288,8 +288,10 @@ describe('#methods()', () => {
         method: 'post',
       };
 
-      expect(serverlessStepFunctions.getMethodAuthorization(event)
-              .Properties.AuthorizationType).to.equal('NONE');
+      const authorization = serverlessStepFunctions.getMethodAuthorization(event);
+
+      expect(authorization.Properties.AuthorizationType).to.equal('NONE');
+      expect(authorization.Properties.AuthorizationScopes).to.equal(undefined);
     });
 
     it('should return resource properties with AuthorizationType: AWS_IAM', () => {
@@ -300,8 +302,10 @@ describe('#methods()', () => {
         },
       };
 
-      expect(serverlessStepFunctions.getMethodAuthorization(event)
-              .Properties.AuthorizationType).to.equal('AWS_IAM');
+      const authorization = serverlessStepFunctions.getMethodAuthorization(event);
+
+      expect(authorization.Properties.AuthorizationType).to.equal('AWS_IAM');
+      expect(authorization.Properties.AuthorizationScopes).to.equal(undefined);
     });
 
     it('should return properties with AuthorizationType: CUSTOM and authotizerId', () => {
@@ -312,10 +316,11 @@ describe('#methods()', () => {
         },
       };
 
-      expect(serverlessStepFunctions.getMethodAuthorization(event)
-              .Properties.AuthorizationType).to.equal('CUSTOM');
-      expect(serverlessStepFunctions.getMethodAuthorization(event)
-              .Properties.AuthorizerId).to.equal('foo12345');
+      const authorization = serverlessStepFunctions.getMethodAuthorization(event);
+
+      expect(authorization.Properties.AuthorizationType).to.equal('CUSTOM');
+      expect(authorization.Properties.AuthorizerId).to.equal('foo12345');
+      expect(authorization.Properties.AuthorizationScopes).to.equal(undefined);
     });
 
     it('should return properties with AuthorizationType: CUSTOM and resource reference', () => {
@@ -328,11 +333,9 @@ describe('#methods()', () => {
         },
       };
 
-      const autorization = serverlessStepFunctions.getMethodAuthorization(event);
-      expect(autorization.Properties.AuthorizationType)
-              .to.equal('CUSTOM');
-
-      expect(autorization.Properties.AuthorizerId)
+      const authorization = serverlessStepFunctions.getMethodAuthorization(event);
+      expect(authorization.Properties.AuthorizationType).to.equal('CUSTOM');
+      expect(authorization.Properties.AuthorizerId)
               .to.deep.equal({ Ref: 'AuthorizerApiGatewayAuthorizer' });
     });
 
@@ -341,14 +344,41 @@ describe('#methods()', () => {
         authorizer: {
           name: 'authorizer',
           arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ',
+          scopes: [
+            'scope1',
+            'scope2',
+          ],
         },
       };
 
-      const autorization = serverlessStepFunctions.getMethodAuthorization(event);
-      expect(autorization.Properties.AuthorizationType)
-              .to.equal('COGNITO_USER_POOLS');
-      expect(autorization.Properties.AuthorizerId)
+      const authorization = serverlessStepFunctions.getMethodAuthorization(event);
+      expect(authorization.Properties.AuthorizationType).to.equal('COGNITO_USER_POOLS');
+      expect(authorization.Properties.AuthorizerId)
               .to.deep.equal({ Ref: 'AuthorizerApiGatewayAuthorizer' });
+      expect(authorization.Properties.AuthorizationScopes)
+              .to.deep.equal(['scope1', 'scope2']);
+    });
+
+    it('should return properties with AuthorizationType when type is "COGNITO_USER_POOLS"', () => {
+      const event = {
+        authorizer: {
+          type: 'COGNITO_USER_POOLS',
+          authorizerId: {
+            Ref: 'ApiGatewayAuthorizer',
+          },
+          scopes: [
+            'scope1',
+            'scope2',
+          ],
+        },
+      };
+
+      const authorization = serverlessStepFunctions.getMethodAuthorization(event);
+      expect(authorization.Properties.AuthorizationType).to.equal('COGNITO_USER_POOLS');
+      expect(authorization.Properties.AuthorizerId)
+              .to.deep.equal({ Ref: 'ApiGatewayAuthorizer' });
+      expect(authorization.Properties.AuthorizationScopes)
+              .to.deep.equal(['scope1', 'scope2']);
     });
   });
 });