函数模板概述
- 平台类型:AWS Lambda + API Gateway HTTP API
- 运行时环境:nodejs18.x
- 触发类型:HTTP(POST /api/register)
核心代码
// file: src/handler.js
// Node.js 18.x (CommonJS). HTTP API: POST /api/register
// 目标:请求体验证、结构化日志(中间件式)、统一错误映射(400/409/500)、CORS、速率限制示例、可配置超时与重试策略、SMTP 占位发送验证码
'use strict';
const crypto = require('node:crypto');
// ----------------------- 可调参数(通过环境变量覆盖) -----------------------
const CORS_ORIGIN = process.env.CORS_ORIGIN || '*';
const RATE_LIMIT_WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || '60000', 10); // 1 min
const RATE_LIMIT_MAX = parseInt(process.env.RATE_LIMIT_MAX || '10', 10); // 每窗口最大请求数
const INTERNAL_TIMEOUT_MS = parseInt(process.env.INTERNAL_TIMEOUT_MS || '5000', 10); // 单步内部操作超时
const RETRY_MAX_ATTEMPTS = parseInt(process.env.RETRY_MAX_ATTEMPTS || '2', 10);
const RETRY_BASE_MS = parseInt(process.env.RETRY_BASE_MS || '200', 10);
const SMTP_HOST = process.env.SMTP_HOST; // e.g. "smtp.example.com:587"
const SMTP_KEY = process.env.SMTP_KEY; // 密钥/密码(API Key)
const SMTP_USER = process.env.SMTP_USER || 'apikey'; // 某些服务商使用固定用户名(SendGrid等)
const SMTP_FROM = process.env.SMTP_FROM || 'no-reply@example.com';
// ----------------------- CORS -----------------------
const CORS_HEADERS = {
'Access-Control-Allow-Origin': CORS_ORIGIN,
'Access-Control-Allow-Headers': 'Content-Type,X-Correlation-Id',
'Access-Control-Allow-Methods': 'POST,OPTIONS',
};
// ----------------------- 结构化日志(中间件式) -----------------------
let isColdStart = true;
function createLogger({ requestId, correlationId, ip, route }) {
function log(level, msg, extra = {}) {
const entry = {
ts: new Date().toISOString(),
level,
msg,
requestId,
correlationId,
route,
ip,
coldStart: isColdStart,
...sanitize(extra),
};
console.log(JSON.stringify(entry));
}
return {
info: (msg, extra) => log('INFO', msg, extra),
warn: (msg, extra) => log('WARN', msg, extra),
error: (msg, extra) => log('ERROR', msg, extra),
child: (fields) =>
createLogger({
requestId,
correlationId,
ip,
route,
...fields,
}),
};
}
function sanitize(obj) {
// 避免敏感信息落盘
const cloned = { ...obj };
if (cloned.password) cloned.password = '[REDACTED]';
if (cloned.passwordHash) cloned.passwordHash = '[REDACTED]';
if (cloned.smtpKey) cloned.smtpKey = '[REDACTED]';
return cloned;
}
// ----------------------- 错误类型与映射 -----------------------
class BadRequestError extends Error {
constructor(message, details) {
super(message);
this.name = 'BadRequestError';
this.statusCode = 400;
this.details = details;
}
}
class ConflictError extends Error {
constructor(message) {
super(message);
this.name = 'ConflictError';
this.statusCode = 409;
}
}
class TooManyRequestsError extends Error {
constructor(message, retryAfterSec) {
super(message);
this.name = 'TooManyRequestsError';
this.statusCode = 429;
this.retryAfterSec = retryAfterSec;
}
}
class InternalServerError extends Error {
constructor(message) {
super(message);
this.name = 'InternalServerError';
this.statusCode = 500;
}
}
function httpResponse(statusCode, body, extraHeaders = {}) {
return {
statusCode,
headers: {
'Content-Type': 'application/json; charset=utf-8',
...CORS_HEADERS,
...extraHeaders,
},
body: typeof body === 'string' ? body : JSON.stringify(body),
};
}
// ----------------------- 速率限制(容器级示例,仅演示用途) -----------------------
const rateBucket = new Map(); // key => { count, resetAt }
function rateLimitCheck(key, now = Date.now()) {
const slot = rateBucket.get(key);
if (!slot || now >= slot.resetAt) {
rateBucket.set(key, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
return { allowed: true, remaining: RATE_LIMIT_MAX - 1, resetAt: slot?.resetAt || now + RATE_LIMIT_WINDOW_MS };
} else {
if (slot.count >= RATE_LIMIT_MAX) {
return { allowed: false, remaining: 0, resetAt: slot.resetAt };
}
slot.count += 1;
return { allowed: true, remaining: RATE_LIMIT_MAX - slot.count, resetAt: slot.resetAt };
}
}
// ----------------------- 重试 + 超时包装 -----------------------
async function sleep(ms) {
return new Promise((res) => setTimeout(res, ms));
}
function withTimeout(promise, ms, label = 'operation') {
let timer;
const timeoutPromise = new Promise((_, rej) => {
timer = setTimeout(() => rej(new InternalServerError(`${label} timed out after ${ms}ms`)), ms);
});
return Promise.race([promise.finally(() => clearTimeout(timer)), timeoutPromise]);
}
async function retryAsync(fn, { retries = RETRY_MAX_ATTEMPTS, base = RETRY_BASE_MS, label = 'operation' } = {}) {
let attempt = 0;
let lastErr;
while (attempt <= retries) {
try {
return await fn();
} catch (err) {
lastErr = err;
if (attempt === retries) break;
const backoff = Math.min(base * Math.pow(2, attempt), 2000) + Math.floor(Math.random() * 100);
await sleep(backoff);
attempt += 1;
}
}
throw new InternalServerError(`${label} failed after ${retries + 1} attempt(s): ${lastErr?.message || 'unknown error'}`);
}
// ----------------------- 请求体验证 -----------------------
function parseJsonBody(eventBody) {
if (typeof eventBody === 'string') {
try {
return JSON.parse(eventBody);
} catch {
throw new BadRequestError('Invalid JSON body');
}
}
if (typeof eventBody === 'object' && eventBody != null) return eventBody;
throw new BadRequestError('Missing request body');
}
function validateRegisterInput(body) {
const errors = [];
const email = (body?.email || '').trim();
const password = body?.password || '';
// 简易邮箱校验(可替换更严格的正则或库)
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
if (!email || !emailRegex.test(email)) {
errors.push({ field: 'email', message: 'Invalid email format' });
}
// 密码强度:长度>=8,至少包含三类:小写/大写/数字/特殊字符
const cats = [
/[a-z]/.test(password),
/[A-Z]/.test(password),
/[0-9]/.test(password),
/[^A-Za-z0-9]/.test(password),
].filter(Boolean).length;
if (!password || password.length < 8 || cats < 3) {
errors.push({
field: 'password',
message: 'Password too weak (min length 8, include at least 3 of [lower, upper, digit, symbol])',
});
}
if (errors.length) throw new BadRequestError('Validation failed', errors);
return { email, password };
}
// ----------------------- 用户存储(占位实现) -----------------------
// 注意:以下为内存占位。生产请替换为持久化存储(如 DynamoDB / RDS),并确保幂等与唯一约束。
const _userStore = new Map(); // email -> user
const _auditLogs = [];
async function isEmailTaken(email) {
await sleep(10);
return _userStore.has(email.toLowerCase());
}
async function createUser({ email, password }) {
// 使用 scrypt + salt 生成密码哈希(示例)
const salt = crypto.randomBytes(16).toString('hex');
const hash = await new Promise((res, rej) =>
crypto.scrypt(password, salt, 64, (err, derivedKey) => (err ? rej(err) : res(derivedKey.toString('hex'))))
);
const userId = crypto.randomUUID();
const user = {
userId,
email: email.toLowerCase(),
passwordHash: `scrypt$${salt}$${hash}`,
createdAt: new Date().toISOString(),
};
_userStore.set(user.email, user);
return user;
}
async function writeAuditLog(entry) {
await sleep(5);
_auditLogs.push({ ...entry, at: new Date().toISOString() });
}
// ----------------------- 邮件发送(SMTP 占位) -----------------------
function parseSmtpHostPort(hostStr) {
if (!hostStr) return null;
const [host, portStr] = hostStr.split(':');
const port = portStr ? parseInt(portStr, 10) : 587;
const secure = port === 465;
return { host, port, secure };
}
async function sendOneTimeCodeEmail({ to, code, logger }) {
if (!SMTP_HOST || !SMTP_KEY) {
logger.warn('SMTP not configured, skipping email send');
return { skipped: true };
}
const conf = parseSmtpHostPort(SMTP_HOST);
if (!conf?.host) throw new InternalServerError('Invalid SMTP_HOST');
// 延迟加载依赖:若未安装 nodemailer,将回退为日志占位
let nodemailer;
try {
nodemailer = require('nodemailer');
} catch {
logger.warn('nodemailer not installed, logging OTP instead of sending email');
logger.info('OTP generated (do not log in production)', { otp: code });
return { mocked: true };
}
const transporter = nodemailer.createTransport({
host: conf.host,
port: conf.port,
secure: conf.secure,
auth: { user: SMTP_USER, pass: SMTP_KEY },
});
const mail = {
from: SMTP_FROM,
to,
subject: 'Your verification code',
text: `Your one-time code is: ${code}. It expires in 10 minutes.`,
html: `<p>Your one-time code is: <b>${code}</b>. It expires in 10 minutes.</p>`,
};
// 重试 + 超时保护
await withTimeout(
retryAsync(() => transporter.sendMail(mail), {
retries: RETRY_MAX_ATTEMPTS,
base: RETRY_BASE_MS,
label: 'send email',
}),
INTERNAL_TIMEOUT_MS,
'send email'
);
return { sent: true };
}
// ----------------------- 处理函数 -----------------------
exports.handler = async (event, context) => {
const start = Date.now();
const requestId = context.awsRequestId;
const route = `${event.requestContext?.http?.method || ''} ${event.requestContext?.http?.path || ''}`;
const ip = event.requestContext?.http?.sourceIp || 'unknown';
const correlationId = event.headers?.['x-correlation-id'] || event.headers?.['X-Correlation-Id'] || crypto.randomUUID();
const logger = createLogger({ requestId, correlationId, ip, route });
try {
// CORS 预检
if ((event.requestContext?.http?.method || '').toUpperCase() === 'OPTIONS') {
isColdStart = false;
return {
statusCode: 204,
headers: { ...CORS_HEADERS },
body: '',
};
}
// 速率限制(示例)
const rl = rateLimitCheck(ip);
if (!rl.allowed) {
logger.warn('Rate limited', { remaining: rl.remaining, resetAt: rl.resetAt });
isColdStart = false;
return httpResponse(
429,
{ message: 'Too Many Requests' },
{ 'Retry-After': Math.ceil((rl.resetAt - Date.now()) / 1000) }
);
}
// 方法校验
const method = (event.requestContext?.http?.method || '').toUpperCase();
if (method !== 'POST') {
isColdStart = false;
return httpResponse(405, { message: 'Method Not Allowed' }, { Allow: 'POST,OPTIONS' });
}
// Content-Type 简校验
const ct = event.headers?.['content-type'] || event.headers?.['Content-Type'] || '';
if (!ct.toLowerCase().includes('application/json')) {
throw new BadRequestError('Content-Type must be application/json');
}
logger.info('Incoming request');
// 解析 + 校验
const body = parseJsonBody(event.body);
const input = validateRegisterInput(body);
// 业务:查重
if (await withTimeout(isEmailTaken(input.email), INTERNAL_TIMEOUT_MS, 'check duplicate')) {
throw new ConflictError('Email already registered');
}
// 业务:创建用户
const user = await withTimeout(
retryAsync(() => createUser(input), { label: 'create user' }),
INTERNAL_TIMEOUT_MS,
'create user'
);
// 审计日志
await withTimeout(
retryAsync(() => writeAuditLog({ type: 'USER_CREATED', userId: user.userId, email: user.email }), {
label: 'write audit log',
}),
INTERNAL_TIMEOUT_MS,
'write audit log'
);
// 发送一次性验证码(占位)
const otp = String(Math.floor(100000 + Math.random() * 900000));
try {
await sendOneTimeCodeEmail({ to: user.email, code: otp, logger });
// TODO: 将 OTP 持久化并设置过期时间,以便后续验证
} catch (e) {
// 不阻塞注册:邮件失败仅记录警告(可按需改为失败)
logger.warn('Failed to send OTP email', { err: e.message });
}
const duration = Date.now() - start;
logger.info('Register success', { userId: user.userId, durationMs: duration });
isColdStart = false;
return httpResponse(201, { userId: user.userId, message: 'User created' });
} catch (err) {
const duration = Date.now() - start;
const statusCode = err.statusCode || 500;
const payload =
statusCode === 400 && err.details
? { message: err.message, details: err.details }
: { message: err.message || 'Internal Server Error' };
const extraHeaders =
err instanceof TooManyRequestsError && err.retryAfterSec
? { 'Retry-After': String(err.retryAfterSec) }
: {};
if (statusCode >= 500) {
// 避免输出内部细节
logger.error('Unhandled error', { err: { name: err.name, message: err.message }, durationMs: duration });
isColdStart = false;
return httpResponse(500, { message: 'Internal Server Error' });
} else {
logger.warn('Handled error', { err: { name: err.name, message: err.message }, durationMs: duration });
isColdStart = false;
return httpResponse(statusCode, payload, extraHeaders);
}
}
};
// file: package.json
{
"name": "serverless-register-api",
"version": "1.0.0",
"description": "HTTP register function (Node.js 18.x on AWS Lambda)",
"main": "src/handler.js",
"type": "commonjs",
"license": "MIT",
"scripts": {
"lint": "eslint .",
"build": "echo 'no build step'",
"test": "node -e \"console.log('ok')\""
},
"dependencies": {
"nodemailer": "^6.9.9"
},
"devDependencies": {}
}
# file: serverless.yml (Serverless Framework v3)
service: register-api
frameworkVersion: '3'
provider:
name: aws
runtime: nodejs18.x
region: ${env:AWS_REGION, 'us-east-1'}
memorySize: 128
timeout: 6 # 函数超时(秒)——HTTP 同步调用无平台级重试
environment:
CORS_ORIGIN: ${env:CORS_ORIGIN, '*'}
RATE_LIMIT_WINDOW_MS: ${env:RATE_LIMIT_WINDOW_MS, '60000'}
RATE_LIMIT_MAX: ${env:RATE_LIMIT_MAX, '10'}
INTERNAL_TIMEOUT_MS: ${env:INTERNAL_TIMEOUT_MS, '5000'}
RETRY_MAX_ATTEMPTS: ${env:RETRY_MAX_ATTEMPTS, '2'}
RETRY_BASE_MS: ${env:RETRY_BASE_MS, '200'}
SMTP_HOST: ${env:SMTP_HOST, ''}
SMTP_KEY: ${env:SMTP_KEY, ''}
SMTP_USER: ${env:SMTP_USER, 'apikey'}
SMTP_FROM: ${env:SMTP_FROM, 'no-reply@example.com'}
functions:
register:
handler: src/handler.handler
events:
- httpApi:
method: POST
path: /api/register
# API Gateway CORS(建议在网关层开启,函数中也返回CORS头以防万一)
# 可选:自定义 IAM 权限(如访问DynamoDB/Secrets Manager时需要)
# iamRoleStatements:
# - Effect: Allow
# Action:
# - dynamodb:PutItem
# - dynamodb:GetItem
# Resource: arn:aws:dynamodb:#{AWS::Region}:#{AWS::AccountId}:table/YourTable
package:
patterns:
- '!**/*'
- 'src/**'
- 'package.json'
- 'package-lock.json'
- 'node_modules/**'
plugins: []
配置说明
- 部署方式
- 安装 Serverless Framework: npm i -g serverless
- 安装依赖: npm i
- 部署: npx serverless deploy
- 环境变量
- CORS_ORIGIN:允许的跨域来源,默认 *
- RATE_LIMIT_WINDOW_MS / RATE_LIMIT_MAX:速率限制时间窗口与请求上限(容器级示例,仅演示)
- INTERNAL_TIMEOUT_MS:内部单步操作超时毫秒(如存储、日志、邮件)
- RETRY_MAX_ATTEMPTS / RETRY_BASE_MS:内部重试最大次数与指数退避基数
- SMTP_HOST:SMTP 主机与可选端口(例如 smtp.example.com:587)
- SMTP_KEY:SMTP 凭据(切勿硬编码)
- SMTP_USER:SMTP 用户名(默认 apikey,按服务商调整)
- SMTP_FROM:发件人邮箱
- 路由
- POST /api/register:请求体 { "email": "...", "password": "..." }
- OPTIONS /api/register:CORS 预检
- 依赖
- nodemailer:用于SMTP发送(若不安装,会降级为日志占位)
使用指南
- 本地测试
- 使用 serverless-offline 插件可本地运行(可选)
- 或通过 AWS 控制台的“测试”触发,构造 HTTP API 事件格式
- 请求示例
- Headers:
- Content-Type: application/json
- X-Correlation-Id: 可选,用于链路追踪
- Body:
{
"email": "user@example.com",
"password": "Str0ng!Pass"
}
- 响应
- 201:{ "userId": "...", "message": "User created" }
- 400:校验失败(包含 details)
- 409:邮箱已存在
- 429:命中速率限制(带 Retry-After)
- 500:内部错误(不暴露细节)
- 邮件发送
- 配置 SMTP_HOST/SMTP_KEY(以及必要时 SMTP_USER/SMTP_FROM)
- 未配置或未安装 nodemailer 时,将仅记录验证码日志(占位)
- 超时与重试
- Lambda 层超时由 serverless.yml 的 provider.timeout 控制
- 业务内部调用使用 withTimeout + retryAsync,避免长时间阻塞
最佳实践建议
- 速率限制
- 代码内的 Map 仅对单个冷/热容器有效,不适合水平扩展。生产环境应在 API Gateway/WAF/CloudFront 层配置速率限制或使用全局存储(如 Redis/DynamoDB)计数。
- 凭据管理
- 使用 AWS Secrets Manager/SSM Parameter Store 管理 SMTP_KEY,避免明文环境变量;或通过 Lambda 环境变量加密+KMS。
- 存储层
- 替换内存存储为持久化存储并实现唯一约束(如 DynamoDB 使用 email 作为PK;写入时条件表达式 attribute_not_exists(email) 防止重复)。
- 对审计日志使用独立表或流系统(Kinesis/Firehose)以解耦主流程。
- 密码安全
- 已使用 scrypt 示例。生产配置应明确参数(N、r、p)并进行密钥拉伸,或采用经过审计的库(argon2/bcrypt),并确保密码不出现在日志中。
- 结构化日志
- 建议使用 AWS Lambda Powertools for TypeScript/Node.js 的 Logger/Tracing/Metric 组件,统一观测与追踪。
- CORS
- 统一在 API Gateway 层开启并限制到具体前端域名;函数仍返回CORS以增加兼容性。
- 错误处理
- 避免在 500 响应中暴露内部错误细节;在日志中记录 requestId 以便故障排查。
- 冷启动与性能
- 避免在顶层引入大型依赖;按需懒加载(如本模板对 nodemailer 的处理)。
- 结合 Lambda 容量与超时设置,控制依赖体积,使用打包器(esbuild/webpack)裁剪。
- 重试策略
- HTTP 同步触发不会自动重试。对于需要保证达成的任务(如审计/邮件),建议引入异步事件/队列(EventBridge/SQS)并在下游重试。
以上模板可直接用于 AWS Lambda + API Gateway HTTP API 的注册端点,并提供校验、日志、错误、CORS、速率限制、超时与重试以及邮件发送的完整演示骨架。根据业务需要替换占位存储和邮件实现后即可投入使用。
