I am writing a custom lambda authoriser used for a V2 HTTP APIGateway.
The authoriser is using the V2 Simple response format.
I have various checks i.e. check a header exists, validate the token, check for custom claims etc.
If any of these fails I have been throwing an error, catching the error in the handlers try/catch so I can log it and then returning { isAuthorised: false } in the catch block.
I expect to get a 401 or 403 in these scenarios however I always receive a HTTP 500 error along with Internal server error.
In the lambda logs I can see that my error has been thrown however the unauthorised response is never returned.
In these scenarios I do not want a 500 error, I throw a custom message so this can be used in internal logging.
Below is a cut down example of what my authoriser looks like.
The verifyToken function will throw an error if the token is not valid.
export const handler = async (event) => {
try {
if (!event.headers["test-header"]) {
throw new Error("Missing header")
}
const verifiedToken = await verifyToken("access token");
return { isAuthorised: true }
} catch (error) {
console.error(error.message ?? "Something went wrong")
return { isAuthorised: false }
}
}