Serverless Framework Docs

#HTTP API

HTTP APIs are a special flavored API Gateway implementation which offer more features and improved performance.

The Serverless Framework makes it possible to setup API Gateway HTTP APIs via the httpApi event.

#Event Definition

#General setup

functions:
  simple:
    handler: handler.simple
    events:
      - httpApi: 'PATCH /elo'
  extended:
    handler: handler.extended
    events:
      - httpApi:
          method: POST
          path: /post/just/to/this/path

#Catch-alls

functions:
  catchAllAny:
    handler: index.catchAllAny
    events:
      - httpApi: '*'
  catchAllMethod:
    handler: handler.catchAllMethod
    events:
      - httpApi:
          method: '*'
          path: /any/method

#Parameters

functions:
  params:
    handler: handler.params
    events:
      - httpApi:
          method: GET
          path: /get/for/any/{param}

#CORS Setup

With HTTP API we may configure CORS headers that'll be effective for all configured endpoints.

Default CORS configuration can be turned on with:

provider:
  httpApi:
    cors: true

It'll result with headers as:

Header Value
Access-Control-Allow-Origin *
Access-Control-Allow-Headers Content-Type, X-Amz-Date, Authorization, X-Api-Key, X-Amz-Security-Token, X-Amz-User-Agent)
Access-Control-Allow-Methods OPTIONS, (../...all defined in endpoints)

If there's a need to fine tune CORS headers, then each can be configured individually as follows:

provider:
  httpApi:
    cors:
      allowedOrigins:
        - https://url1.com
        - https://url2.com
      allowedHeaders:
        - Content-Type
        - Authorization
      allowedMethods:
        - GET
      allowCredentials: true
      exposedResponseHeaders:
        - Special-Response-Header
      maxAge: 6000 # In seconds

#JWT Authorizers

Currently the only way to restrict access to configured HTTP API endpoints is by setting up an JWT Authorizers.

For deep details on that follow AWS documentation

To ensure endpoints (as configured in serverless.yml) are backed with authorizers, follow below steps.

#1. Configure authorizers on provider.httpApi.authorizers

provider:
  httpApi:
    authorizers:
      someJwtAuthorizer:
        identitySource: $request.header.Authorization
        issuerUrl: https://cognito-idp.${region}.amazonaws.com/${cognitoPoolId}
        audience:
          - ${client1Id}
          - ${client2Id}

#2. Configure endpoints which are expected to have restricted access:

functions:
  someFunction:
    handler: index.handler
    events:
      - httpApi:
          method: POST
          path: /some-post
          authorizer:
            name: someJwtAuthorizer
            scopes: # Optional
              - user.id
              - user.email

#Access logs

Deployed stage can have acess logging enabled, for that just turn on logs for HTTP API in provider settings as follows:

provider:
  logs:
    httpApi: true

Default logs format is:

{
  "requestId": "$context.requestId",
  "ip": "$context.identity.sourceIp",
  "requestTime": "$context.requestTime",
  "httpMethod": "$context.httpMethod",
  "routeKey": "$context.routeKey",
  "status": "$context.status",
  "protocol": "$context.protocol",
  "responseLength": "$context.responseLength"
}

It can be overriden via format setting:

provider:
  logs:
    httpApi:
      format: '{ "ip": "$context.identity.sourceIp", "requestTime":"$context.requestTime" }'

See AWS HTTP API Logging documentation for more info on variables that can be used

Have questions?

Head over to the forums to search for your questions and issues or post a new one.