feat(AWS ALB): Remove support for authorizers[].allowUnauthenticated

BREAKING CHANGE: Support for `providers.alb.authorizers[].allowUnauthenticated` setting was removed. Rely on `providers.alb.authorizers[].onUnauthenticatedRequest` instead. (PR #8160)
serverless · Sep 10, 2020 · b9d5cc4 · b9d5cc4
1 parent 0d8a7d4
commit b9d5cc4
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 78 deletions.
diff --git a/lib/plugins/aws/package/compile/events/alb/index.test.js b/lib/plugins/aws/package/compile/events/alb/index.test.js
@@ -162,44 +162,6 @@ describe('AwsCompileAlbEvents', () => {
           );
         }));
 
-    it('maps "allowUnauthenticated" set to true to "allow"', () =>
-      runServerless({
-        fixture: 'functionDestinations',
-        configExt: serverlessConfiguration({ allowUnauthenticated: true }),
-        cliArgs: ['package'],
-      })
-        .then(({ cfTemplate, awsNaming }) => {
-          ({ Resources: cfResources } = cfTemplate);
-          naming = awsNaming;
-        })
-        .then(() => {
-          const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1);
-          const rule = cfResources[albListenerRuleLogicalId];
-
-          expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal(
-            baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'allow' })
-          );
-        }));
-
-    it('"allowUnauthenticated" set to false should be ineffective', () =>
-      runServerless({
-        fixture: 'functionDestinations',
-        configExt: serverlessConfiguration({ allowUnauthenticated: false }),
-        cliArgs: ['package'],
-      })
-        .then(({ cfTemplate, awsNaming }) => {
-          ({ Resources: cfResources } = cfTemplate);
-          naming = awsNaming;
-        })
-        .then(() => {
-          const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1);
-          const rule = cfResources[albListenerRuleLogicalId];
-
-          expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal(
-            baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'deny' })
-          );
-        }));
-
     it('supports setting value to "allow"', () =>
       runServerless({
         fixture: 'functionDestinations',
@@ -237,27 +199,5 @@ describe('AwsCompileAlbEvents', () => {
             baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'authenticate' })
           );
         }));
-
-    it('takes precedence over allowUnauthenticated', () =>
-      runServerless({
-        fixture: 'functionDestinations',
-        configExt: serverlessConfiguration({
-          onUnauthenticatedRequest: 'deny',
-          allowUnauthenticated: true,
-        }),
-        cliArgs: ['package'],
-      })
-        .then(({ cfTemplate, awsNaming }) => {
-          ({ Resources: cfResources } = cfTemplate);
-          naming = awsNaming;
-        })
-        .then(() => {
-          const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1);
-          const rule = cfResources[albListenerRuleLogicalId];
-
-          expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal(
-            baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'deny' })
-          );
-        }));
   });
 });
diff --git a/lib/plugins/aws/package/compile/events/alb/lib/validate.js b/lib/plugins/aws/package/compile/events/alb/lib/validate.js
@@ -206,22 +206,7 @@ module.exports = {
   },
 
   validateAlbAuth(auth) {
-    const hasAllowUnauthenticated = auth.allowUnauthenticated != null;
-    const hasOnUnauthenticatedRequest = auth.onUnauthenticatedRequest != null;
-
-    if (hasAllowUnauthenticated) {
-      this.serverless._logDeprecation(
-        'AWS_ALB_ALLOW_UNAUTHENTICATED',
-        'allowUnauthenticated is deprecated, use onUnauthenticatedRequest instead'
-      );
-    }
-
-    if (hasAllowUnauthenticated && !hasOnUnauthenticatedRequest) {
-      auth.onUnauthenticatedRequest = auth.allowUnauthenticated ? 'allow' : 'deny';
-    } else {
-      auth.onUnauthenticatedRequest = auth.onUnauthenticatedRequest || 'deny';
-    }
-
+    auth.onUnauthenticatedRequest = auth.onUnauthenticatedRequest || 'deny';
     return auth;
   },
 

diff --git a/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js b/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js
@@ -108,7 +108,7 @@ describe('#validate()', () => {
           userPoolArn: 'arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341',
           userPoolClientId: '1h57kf5cpq17m0eml12EXAMPLE',
           userPoolDomain: 'your-test-domain',
-          allowUnauthenticated: true,
+          onUnauthenticatedRequest: 'allow',
         },
         mySecondAuth: {
           type: 'oidc',
@@ -131,7 +131,6 @@ describe('#validate()', () => {
         userPoolClientId: '1h57kf5cpq17m0eml12EXAMPLE',
         userPoolDomain: 'your-test-domain',
         onUnauthenticatedRequest: 'allow',
-        allowUnauthenticated: true,
       },
       mySecondAuth: {
         type: 'oidc',