You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
serverless-offline wrongly allows me to access /organizations/0000 or /organizations/0000/members or even /me/invites. That behavior is unexpected and does not match the behavior of a deployed stack.
The correct behavior is to block all requests that do not match /organizations or /me exactly as there is no wildcard on neither of the rules (i.e. arn:aws:execute-api:::random-api-id/local/GET/organizations*)
The text was updated successfully, but these errors were encountered:
Custom Authorizer not replicating IAM permissions correctly
Current Behavior
Given the following policy returned from the custom authorizer:
{ "Version":"2012-10-17", "Statement":[ { "Action":"execute-api:Invoke", "Effect":"Allow", "Resource":[ "arn:aws:execute-api:*:*:random-api-id/local/GET/me", "arn:aws:execute-api:*:*:random-api-id/local/GET/organizations" ] } ] }serverless-offline wrongly allows me to access /organizations/0000 or /organizations/0000/members or even /me/invites. That behavior is unexpected and does not match the behavior of a deployed stack.
The correct behavior is to block all requests that do not match /organizations or /me exactly as there is no wildcard on neither of the rules (i.e. arn:aws:execute-api:::random-api-id/local/GET/organizations*)
The text was updated successfully, but these errors were encountered: