Understanding Path Templating
Within API Gateway, it is possible to route incoming requests based on path templating. Path templating has three main components:
- Exact match
- Single wildcard match
- Double wildcard match
The following sections describe each of these components and how they work within the context of API Gateway.
Exact Match
A templated path without any single or double wildcard segments (* or **) is converted to an exact path match.
For example, the OpenAPI spec for your gateway API config may contain a section like the following:
...
paths:
/shelves:
get:
summary: List shelves
...
In this example, the gateway will only accept requests to /shelves and no other paths.
Single Wildcard Matching
If a templated path contains a variable, a singular wildcard segment (e.g {var} or {var=*}), or both, the gateway will allow incoming requests that comply with the following:
- The requests do not contain an additional forward slash (
/), meaning the variable will only match a single path segment. - The requests contain at least one character.
- The requests may contain an additional trailing slash if present at the end of the path.
For example, the OpenAPI spec for your gateway API config may contain a section like the following:
...
paths:
/shelves/{shelf}/books/{book}: # Equivalent to /shelves/{shelf=*}/books/{book=*}
get:
summary: Retrieve a book
...
In this example, the gateway will accept requests that match the following regex:
^/shelves/[^/]+/books/[^/]+/?$
Double Wildcard Matching
If a templated path contains a variable denoted by a double wildcard segment (e.g {var=**}),
the gateway will allow incoming requests that comply with the following:
- The requests can contain all characters, including forward slashes (/).
- The requests can contain 0 or more characters.
- The requests may contain an additional trailing slash if present at the end of the path.
For example, the OpenAPI spec for your gateway API config may contain a section like the following:
...
paths:
/shelves/{shelf=*}/books/{book=**}:
get:
summary: Retrieve a book
...
In this example, the gateway will accept requests that match the following regex:
^/shelves/[^/]+/books/.*/?$
URL Encoded Forward Slashes
API Gateway follows RFC 3986, which does not treat URL encoded forward slashes (%2F) as actual slashes when matching URL paths for routing or security decisions. If URL encoded slashes are expected, your backend should handle these requests accordingly.
For example, consider the following OpenAPI spec:
securityDefinitions:
api_key:
type: "apiKey"
name: "key"
in: "query"
paths:
/shelves/{shelf}:
get:
parameters:
- in: path
name: shelf
type: string
required: true
description: Shelf ID.
summary: List shelves
operationId: GetShelf
responses:
'200':
description: A successful response
schema:
type: string
/shelves/{shelf}/books/{book}:
get:
parameters:
- in: path
name: shelf
type: string
required: true
description: Shelf ID.
- in: path
name: book
type: string
required: true
description: Book ID
summary: Retrieve a book
operationId: GetBook
responses:
'200':
description: A successful response
schema:
type: string
security:
- api_key: []
In this example, the /shelves/{shelf}/books/{book} operation requires an API key, but the /shelves/{shelf} operation is unrestricted.
In the event that a user sends a request to /shelves/shelf_1%2Fbooks%2Fbook_2:
- The gateway will process the request as a
GetShelfoperation for the shelf IDshelf_1%2Fbooks%2Fbook_2. In this case, an API key check is not enforced. - If the
%2Fis normalized before any request handling by the backend, the request may instead be processed as theGetBookoperation for the book IDbook_2. In other words, the backend processes/shelves/shelf_1%2Fbooks%2Fbook_2as/shelves/shelf_1/books/book_2.
In this example, the backend expects the GetBook operation to perform an API key check at the gateway. However, because the gateway read the request as a GetShelf operation, no API key check was performed.
Normalization of Multiple Adjacent Forward Slashes
API Gateway follows RFC 3986, which states that paths with multiple adjacent forward slashes will be treated as a different path than those with singular forward slashes.
For instance, a request containing /shelves/// will not be normalized by the gateway to the request path /shelves/ prior to matching a URI path template nor upon forwarding to the specified backend.