I was interested to see if I could use rego in a serverless environment. I put together a demo that involved using a REST client, copying tokens around and stuff like that. I decided my demo was terrible and resolved to do something better, this, which is at least better than that demo.
Edit any of the three text blocks and select an HTTP method and path. The top and bottom should have JSON data and are validated. The middle one is written in rego and isn't validated (yet) but you could use The Rego Playground.
When you click the SEND REQUEST button, the app will encode all three text blocks and make an HTTP request to the serverless backend. The backend will decode the token, compile the rego policy, evaluate the policy with the other payloads, then return the appropriate response.
The web app is written in React and is an S3 website. The API uses API Gateway and Lambda. Nothing sent to the API is stored, but there's some logging in place.
The backend consists of two Lambda functions, an authorizer written in golang and a handler written in NodeJS. The authorizer is implemented with opa packages.
This? Nope. You don't want your authorization system to accept a policy from the client. Something like this? Very possibly.
I'm not affiliated. Learn more.
Hello, come find me Follow @TwitterDev