DEV Community

Cover image for How to validate requests when using AWS Lambda Function Url
iAmSherif πŸ’Ž
iAmSherif πŸ’Ž

Posted on

How to validate requests when using AWS Lambda Function Url

Introduction

A Lambda function URL is a built-in HTTPS endpoint for an AWS Lambda function. It allows you to directly invoke a Lambda function over HTTP without needing an intermediary service like API Gateway. This simplifies deployments when your function needs to be publicly accessible or integrated into web applications. Validating requests with Lambda Function URLs offers unique challenges and nuances, unlike API Gateway where you can use Model and RequestValidator See.

In this article, I will guide you on how you can simply validate your event object and as well return appropriate error if there is mismatch in received event payload.

Why do you need Lambda Function Url

A Lambda function URL is a dedicated endpoint with a unique URL that provides a straightforward way to call a Lambda function over HTTP. When you create a Lambda function URL, AWS automatically generates a URL for the function, and you can configure IAM-based authentication or leave it public (for open access).

Importance of Lambda Function Url are:

  1. Simplicity: Removes the need to set up and manage an API Gateway when you only need a simple HTTP endpoint.

  2. Cost-Effective: Reduces costs compared to using API Gateway for basic use cases since Lambda function URLs have no additional charges beyond standard Lambda pricing.

  3. Quick Deployment: Ideal for rapid prototyping or use cases where setting up API Gateway is unnecessary.

  4. Native HTTPS Support: Provides secure communication without extra configuration.

  5. Authentication Control: Supports IAM-based authentication for secure access or can be set to public for open endpoints.

When would you need Lambda Function Url

  1. Microservices and Webhooks:

    • Easily create microservices that respond to HTTP requests.
    • Use Lambda function URLs to handle webhook callbacks from third-party services (e.g., payment systems, notifications).
  2. Prototyping and Demos:

    • Quickly expose a backend function for demo purposes without setting up API Gateway.
  3. Automation and Internal Tools:

    • Create internal tools that employees can access directly via a simple URL.
  4. Static Website Backends:

    • Pair a static website hosted on Amazon S3 or CloudFront with a Lambda function URL for dynamic functionality (e.g., form submissions).
  5. IoT Integrations:

    • Allow IoT devices to trigger serverless functions directly via HTTP endpoints.

How to validate requests in Lambda Function Url

Steps:

  1. Define your request model
  2. Use the reusable request model to validate your event body data(payload)
  3. Plug the model to your handler method

Define your request model

Define the model for your event body. Say you want name, email, and an optional mobileNumber. We are going to create a model that matches the expected event body.

Prerequisite: Install Joi --> npm install Joi

const Joi = require('joi');

const eventModel = Joi.object({
    name: Joi.string().required(),
    email: email: Joi.string().email({ minDomainSegments: 2, tlds: { allow: ['com', 'net'] } }),
    mobileNumber: Joi.string().optional()
})
Enter fullscreen mode Exit fullscreen mode

Use the request model to validate your event

After creating the model, next we will need to validate the event body data with the model; this step also ensures error is properly handled.

const validateEventData = async (data) => {
    try{
        const value = await eventModel.validateAsync(data);
        return value;
    }catch(error){
        throw new Error( error.message || error);
    }
}

Enter fullscreen mode Exit fullscreen mode

Plug-in the model to your handler method

module.exports.handler = async (event, context) => {
  try{
    const body = validateEventData(event.body);
    return { statusCode: "200", body };
    }
  }catch (err) {
    return {
        statusCode: 400,
        body: { message: 'Invalid request body', error: err.message || err },
    };
  }
}
Enter fullscreen mode Exit fullscreen mode

Sample Error

Say we send a mismatch event object like:

{
    "email": "value3@gmail.com"
    "mobileNumber": "234567890"
}
Enter fullscreen mode Exit fullscreen mode

Note that we took out a required field name.

  "statusCode": 400,
  "body": { "message": "Invalid request body", "error": "\"name\" is required"
  }
Enter fullscreen mode Exit fullscreen mode

Here's a refactored and expanded version of your conclusion section to provide more depth and reinforce key takeaways:


Conclusion

Properly validating incoming requests is a critical step in safeguarding your AWS Lambda functions from potential vulnerabilities such as SQL injection, script injection, and other forms of malicious input. By implementing robust validation practices, you can ensure that your application remains secure, reliable, and resilient.

In this article, we demonstrated how to use Joi library to perform request validation in AWS Lambda functions. With Joi, you can define clear validation schemas, enforce data integrity, and provide informative error messages to users when inputs do not meet your requirements. This approach not only fortifies your application against security threats but also enhances maintainability by keeping your validation logic structured and reusable.

By following the steps outlined, you can seamlessly integrate input validation into your Lambda functions and handle validation errors gracefully. As a result, your serverless applications can operate more securely, giving you confidence that only well-formed, valid data is processed.

Remember, validation is just one layer of a comprehensive security strategy. Pairing it with practices such as proper error logging, input sanitization, and authentication mechanisms (like AWS Cognito) will further bolster the security of your application.

Secure coding practices like these are essential for building robust serverless architectures. Start implementing input validation today to protect your AWS Lambda endpoints and provide a safer experience for your users.

β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”

For more articles, follow my social handles:

Top comments (0)