AWS API Gateway Simple Lamda Authorizer failing when used with HTTP API that's using private resource integration
I have set up API Gateway using HTTP API which is configured to a private application load balancer using a VPC link.
I have a route using this integration and I can request my route and I get a successful response from my API.
The problem comes though when I now want to protect this route. I chose a simple lambda authoriser and set up a basic example I have seen in many tuts being:
exports.handler = async(event, context) => {
let response = {
"isAuthorized": false,
"context": {
"AuthInfo": "defaultdeny"
}
};
if (event.headers.authorization === "Bearer secretToken") {
response = {
"isAuthorized": true,
"context": {
"AuthInfo": "Customer1"
}
};
}
return response;
};
When I attach my authoriser I just get:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Invalid token."
}
this response does not seem to be coming from the authoriser as in cloud watch I can see the authoriser is returning true.
I am not sure if because I am accessing a private resource using an integration with a VPC link if there is something else I need to do, or what I am missing.
I am struggling to find any documentation on authorisers in such a scenario.
Any help most appreciated.
Authoriser settings
My Api was Strapi CMS, with Strapi if you pass an authorization header to the endpoint even a public one (as I was) then its own authentication kicks in.
So as the header was passed from the lambda authoriser to Strapi, Strapis auth kicked in. Many thanks to @stijndepestel