Feature Request: parse sourceIp as ipv6 in APIGateway schemas

[cbarlow1993]

Expected Behavior

I would expect that the sourceIp for the APIGateway, APIGatewayV2 and the AppSync envelopes would support both IPv4 and IPv6 type ip adddress.

See:

powertools-lambda-typescript/packages/parser/src/schemas/api-gatewayv2.ts

Line 113 in 4c1bcc3

sourceIp: z.ipv4(),

Current Behavior

Currently only support IPv4

Code snippet

const APIGatewayEventIdentity = z.object({
  accessKey: z.string().nullish(),
  accountId: z.string().nullish(),
  apiKey: z.string().nullish(),
  apiKeyId: z.string().nullish(),
  caller: z.string().nullish(),
  cognitoAuthenticationProvider: z.string().nullish(),
  cognitoAuthenticationType: z.string().nullish(),
  cognitoIdentityId: z.string().nullish(),
  cognitoIdentityPoolId: z.string().nullish(),
  principalOrgId: z.string().nullish(),
  /**
   * When invoking the API Gateway REST API using the Test Invoke feature,
   * the sourceIp is hardcoded to `test-invoke-source-ip`. This is a stopgap
   * solution to allow customers to test their API and have successful parsing.
   *
   * See aws-powertools/powertools-lambda-python#1562 for more information.
   */
  sourceIp: z.union([z.ipv4(), z.literal('test-invoke-source-ip')]).optional(),  <-----
  user: z.string().nullish(),
  userAgent: z.string().nullish(),
  userArn: z.string().nullish(),
  clientCert: APIGatewayCert.nullish(),
});


const APIGatewayRequestContextV2Schema = z.object({
  accountId: z.string(),
  apiId: z.string(),
  authorizer: APIGatewayRequestAuthorizerV2Schema.optional(),
  authentication: z
    .object({
      clientCert: APIGatewayCert.optional(),
    })
    .nullish(),
  domainName: z.string(),
  domainPrefix: z.string(),
  http: z.object({
    method: APIGatewayHttpMethod,
    path: z.string(),
    protocol: z.string(),
    sourceIp: z.ipv4(),   <-----
    userAgent: z.string(),
  }),
  requestId: z.string(),
  routeKey: z.string(),
  stage: z.string(),
  time: z.string(),
  timeEpoch: z.number(),
});

const AppSyncIamIdentity = z.object({
  accountId: z.string(),
  cognitoIdentityPoolId: z.string().nullable(),
  cognitoIdentityId: z.string().nullable(),
  sourceIp: z.array(z.string()), <----
  username: z.string(),
  userArn: z.string(),
  cognitoIdentityAuthType: z.string().nullable(),
  cognitoIdentityAuthProvider: z.string().nullable(),
});

const AppSyncCognitoIdentity = z.object({
  sub: z.string(),
  issuer: z.string(),
  username: z.string(),
  claims: z.record(z.string(), z.unknown()),
  sourceIp: z.array(z.ipv4()), <-----
  defaultAuthStrategy: z.string().nullable(),
  groups: z.array(z.string()).nullable(),
});

Steps to Reproduce

1. With Zod v4 and latest power tools packages. Extended the APIGatewayRequestContextV2Schema with a request body on a function URL lambda. And hit it via an IPv6 Address

Possible Solution

Support an IPv4 or IPv6

Powertools for AWS Lambda (TypeScript) version

latest

AWS Lambda function runtime

22.x

Packaging format used

npm

Execution logs

[dreamorosi]

Hi, thanks for opening this issue.

AppSync doesn't support ipv6 yet according to this documentation page, so the schemas for that source are correct.

API Gateway does support it, so we can update the schemas.

Given that as you linked at the moment the schemas purposefully support ipv4 only, this is not a bug but a feature request.

I'll add this to the backlog so it can be picked up, if you're interested you're welcome to send a PR also.

[powertools-for-aws-oss-automation]

Note

For those interested in contributing, please leave a comment below so that we can assign the issue to you and make sure we don't duplicate efforts. If you have any further questions, please don't hesitate to ask below or on our Discord server.