Added FromCustomAuthorizerAttribute and tests.

[kabaluk]

PR Description: [FromCustomAuthorizer] Attribute Support

Summary

Adds [FromCustomAuthorizer] attribute to extract Lambda authorizer context values directly into method parameters.

Usage

[HttpApi(HttpMethod.Get, "/api/user-info")]
public IHttpResult GetUserInfo(
    [FromCustomAuthorizer(Name = "userId")] string userId,
    [FromCustomAuthorizer(Name = "email")] string email)

Supported API Types

API Type	Context Path
REST API	RequestContext.Authorizer["key"]
HTTP API v1	RequestContext.Authorizer["key"]
HTTP API v2	RequestContext.Authorizer.Lambda["key"]

Behavior

• Key name: Uses Name property if specified, otherwise falls back to parameter name
• Returns 401 Unauthorized when: authorizer context is null, key not found, or type conversion fails
• Supports IHttpResult return types

Testing

• Unit tests with snapshot verification
• Integration tests deploy real Lambda functions to AWS and verify end-to-end flow with custom authorizers

[normj]

Cool PR!

Can you fix the whitespaces changes to the LambdaFunctionTemplate.tt file? The whole file is looks different.

Who should we handle the other type of authorizer properties. For example on the APIGatewayHttpApiV2ProxyRequest besides the Lambda property there is also Jwt and IAM properties. Should we make the string accessing the authorizer field have the prefix of the property.

[kabaluk]

Wiil do my best with the withspace.
The other types of authorizer are not custom authorizers as far as i am aware.
I would not create string prefixes.
We could create an iam authorizer attribute and a jwt authorizer attribute and those wold look on the respective locations...

[kabaluk]

don't seem to be able to fix the whitespace issue to save my life :(
Please review ignoring whitespace ?? Maybe?

Tried setting EOL to LF and CR, both cause problems with the generated file. The correct one seems to be CRLF .
but obviously git doens't like it :(

Please feel free to edit.

[kabaluk]

Would be really nice to get this avail;able. I will gladly fix the conflicts if this can be looked at again.

[kabaluk]

I can see you did a major refactoring in the dev branch will push again once released.

If i might be so bold, I looked at what you did.
why not take it one step further and separate each attribute into it's own file?
Talking about the APIGatewaySetupParameters.tt
Breaking that file down, using the technique you used before, would make it much easier to add new attributes in the future

Just a thought.

[normj]

@kabaluk I suspect adding new attributes would be done in separate files. For example if we added SQS or S3 I would put them in separate TT. One of my goals with the refactor was to make it easier to add new attributes as the previous monolithic tt file was really hard to reconcile with. HttpApi and RestApi attributes are 9X percent the same code so I didn't really want to make 2 separate tt files for each one of those. Plus I thought the parameter setup was getting pretty long so I was looking for some separation which is why I divided the parameter setup and the invoke. I suspect in SQS or S3 use cases the parameter setup wouldn't be so complicated.

Another goal I had was I wanted to generate the exact same code including whitespaces to make the PR review easier and then later I could do more specific refactoring. Otherwise the PR review would have been every line is different and that is hard to review. But going forward I could see putting each of the FromXXX in a separate tt file as well.

[kabaluk]

@kabaluk I suspect adding new attributes would be done in separate files. For example if we added SQS or S3 I would put them in separate TT. One of my goals with the refactor was to make it easier to add new attributes as the previous monolithic tt file was really hard to reconcile with. HttpApi and RestApi attributes are 9X percent the same code so I didn't really want to make 2 separate tt files for each one of those. Plus I thought the parameter setup was getting pretty long so I was looking for some separation which is why I divided the parameter setup and the invoke. I suspect in SQS or S3 use cases the parameter setup wouldn't be so complicated.

Another goal I had was I wanted to generate the exact same code including whitespaces to make the PR review easier and then later I could do more specific refactoring. Otherwise the PR review would have been every line is different and that is hard to review. But going forward I could see putting each of the FromXXX in a separate tt file as well.

I was talking specifically of the FromXXX attributes. Apologies, I should have been more explicit. Sounds like a great change and it would make it a lot easier to add and test more FromXXX attributes. Looking forward to have that in main so i can re add the FromCustomAuthorizer attribute.
Even started looking on how to do the FromJwt. 😄

[kabaluk]

Readded CustomAuthorizerAttribute..

Hope you like it :)

[kabaluk]

Any possibility of having this looked at again, please?

[normj]

I did an initial scan and it looks good. I had one comment so far. I need to test the experience end to end next. I'll try and find time to do that soon.

[ashishdhingra]

@kabaluk Please review the last review comment from @normj and see if you are able to address it.

[kabaluk]

@kabaluk Please review the last review comment from @normj and see if you are able to address it.

Please have a look.

[GarrettBeatty]

im working on rebasing this

[GarrettBeatty]

Why We Need .ToString() for Custom Authorizer Values

The Data Flow

1. Authorizer Lambda returns context: When your custom authorizer runs, it returns a context dictionary:

   Context = new Dictionary<string, object>
   {
       { "userId", "12345" },
       { "permissions", "admin" }
   }

2. API Gateway passes this to the protected Lambda in the request payload as JSON:

   {
     "requestContext": {
       "authorizer": {
         "userId": "12345",
         "permissions": "admin"
       }
     }
   }

3. Lambda deserializes the request using the configured serializer (System.Text.Json or Newtonsoft.Json).

The Problem: Dictionary<string, object> Deserialization

The Authorizer property is typed as Dictionary<string, object>:

public class APIGatewayCustomAuthorizerContext : Dictionary<string, object>

When the serializer encounters a JSON value like "12345" and needs to deserialize it into object, it doesn't know what concrete type to use. So:

• System.Text.Json wraps it in a JsonElement struct
• Newtonsoft.Json wraps it in a JToken (like JValue)

so rather than having statements like

if (__authValue__ is System.Text.Json.JsonElement jsonElement)
{
    userId = Convert.ChangeType(jsonElement.ToString(), typeof(string));
}

i just call toString which both of these serializers have.

not sure if there is a better way

[GarrettBeatty]

@normj not sure if you have any better ideas here of it ToString is good enough

[normj]

Can the values be numerics instead of strings? If so how would that work out with this approach? Or are we saying for the FromCustomerAuthorizer we only support string parameters. If so we should make sure we are enforcing that and put out diagnostic warnings if they attempt something we don't support.

[GarrettBeatty]

so what im doing here is converting it to a string then using https://learn.microsoft.com/en-us/dotnet/api/system.convert.changetype?view=net-10.0 afterwards to convert to the parameters type.

i will add an integration test to confirm

[GarrettBeatty]

so i added integration tests to confirm

1. int values work
2. string values work
3. boolean values work

double values do not work because of a limitation with api gateway not supporting it.

[Copilot]

Pull request overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 31 out of 31 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[GarrettBeatty]

https://github.com/aws/aws-lambda-dotnet/actions/runs/21604179496/job/62257446270

[GarrettBeatty]

this is all existing code just moved into a common project to share between the two integration test projects

[normj]

Can the values be numerics instead of strings? If so how would that work out with this approach? Or are we saying for the FromCustomerAuthorizer we only support string parameters. If so we should make sure we are enforcing that and put out diagnostic warnings if they attempt something we don't support.

[Copilot]

Pull request overview

Copilot reviewed 56 out of 56 changed files in this pull request and generated 42 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Variable name expectedRestAuthorizerGenerated is misleading in this HTTP API test (it contains the expected HttpApi generated output). Rename it to something like expectedHttpApiAuthorizerGenerated to avoid confusion and make future maintenance easier.

[Copilot]

Minor grammar in the example response: "You are a admin" should be "You are an admin".

[Copilot]

Disposable 'HttpRequestMessage' is created but not disposed.

[Copilot]

Disposable 'HttpRequestMessage' is created but not disposed.

[Copilot]

Redundant call to 'ToString' on a String object.

[Copilot]

Redundant call to 'ToString' on a String object.

[Copilot]

Inefficient use of 'ContainsKey' and indexer.

[Copilot]

Inefficient use of 'ContainsKey' and indexer.

[Copilot]

Inefficient use of 'ContainsKey' and indexer.