[FEAT] API Gateway v2 HTTP API — Lambda REQUEST authorizer support (payload format 1.0 and 2.0)

## Service

API Gateway v2 (HTTP APIs)

## API Action / Feature

Lambda REQUEST authorizer invocation for HTTP API routes (`--authorizer-type REQUEST` via `aws apigatewayv2 create-authorizer`)

## AWS Documentation

- [Control access to HTTP APIs with AWS Lambda authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html)
- [Payload format versions 1.0 and 2.0](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html#http-api-lambda-authorizer.payload-format)

## Why is this needed?

Real AWS supports Lambda REQUEST authorizers on HTTP APIs (v2) in addition to JWT authorizers. Floci's `dispatchV2` path in `ApiGatewayExecuteController` only enforces JWT authorizers. When a route is configured with `authorizationType: CUSTOM` and a Lambda REQUEST authorizer, Floci silently skips authorization and allows the request through — which is incorrect behavior.

AWS supports two payload format versions for HTTP API Lambda authorizers:

**Format 1.0** — compatible with REST API (v1) REQUEST authorizer shape:
```json
{
  "version": "1.0",
  "type": "REQUEST",
  "methodArn": "arn:aws:execute-api:us-east-1:123456789012:abcdef123/test/GET/pets",
  "identitySource": "...",
  "authorizationToken": "...",
  "resource": "/pets",
  "path": "/pets",
  "httpMethod": "GET",
  "headers": { "Header1": "value1" },
  "queryStringParameters": { "parameter1": "value1" },
  "pathParameters": {},
  "stageVariables": {},
  "requestContext": { ... }
}
```

**Format 2.0** — newer HTTP API-native shape:
```json
{
  "version": "2.0",
  "type": "REQUEST",
  "routeArn": "arn:aws:execute-api:us-east-1:123456789012:abcdef123/test/GET/pets",
  "identitySource": "...",
  "routeKey": "GET /pets",
  "rawPath": "/pets",
  "rawQueryString": "parameter1=value1",
  "headers": { "Header1": "value1" },
  "queryStringParameters": { "parameter1": "value1" },
  "pathParameters": {},
  "stageVariables": {},
  "requestContext": {
    "accountId": "123456789012",
    "apiId": "abcdef123",
    "domainName": "...",
    "domainPrefix": "...",
    "http": {
      "method": "GET",
      "path": "/pets",
      "protocol": "HTTP/1.1",
      "sourceIp": "...",
      "userAgent": "..."
    },
    "requestId": "...",
    "routeKey": "GET /pets",
    "stage": "test",
    "time": "...",
    "timeEpoch": 0
  }
}
```

Format 2.0 also supports **simple responses** — the Lambda can return `{"isAuthorized": true}` instead of a full IAM policy document.

### Identity source validation

Before invoking the Lambda, API Gateway validates that all configured identity sources are present in the request. If any are missing, it returns `401` without invoking the Lambda.

### Related issue

This gap was discovered while investigating [#807](https://github.com/floci-io/floci/issues/807) (v1 REST API REQUEST authorizer event shape). The v2 HTTP API gap is a separate missing feature.

## Are you willing to contribute a PR?

- [x] Yes
- [ ] No


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FEAT] API Gateway v2 HTTP API — Lambda REQUEST authorizer support (payload format 1.0 and 2.0) #812

Service

API Action / Feature

AWS Documentation

Why is this needed?

Identity source validation

Related issue

Are you willing to contribute a PR?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[FEAT] API Gateway v2 HTTP API — Lambda REQUEST authorizer support (payload format 1.0 and 2.0) #812

Description

Service

API Action / Feature

AWS Documentation

Why is this needed?

Identity source validation

Related issue

Are you willing to contribute a PR?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions